locked
Access Edge Certificate RRS feed

  • Question

  • Isn't this guidance wrong on this site:
    http://technet.microsoft.com/en-us/library/bb870338.aspx

    For the Access Edge:
    A certificate configured on the external interface with a subject name that matches the external FQDN of the edge server. If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. For example, if your organization supports two domains a.contoso.com and b.contoso.com and a.contoso.com is the external FQDN of your Edge Server, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com.

    If we name our Access Edge FQDN a.contoso.com, the CN should be a.contoso.com, not sip.a.contoso.com.

    For example, if we name our Access Edge sip.domain.com, then our CN would be sip.domain.com.

    Granted we would still want a sip.a.contoso.com because if the SRV record failed communicator will still try to find sip.domain which in this case would be sip.a.contoso.com.


    Saturday, August 2, 2008 5:26 AM

Answers

  • I think that example si a bit confusing.  They are using the domain names of a.domain.com and b.domain.com as examples, so in your scenario you couldn't select a.domain.com for the Access Edge external FQDN, as that IS the name of the domain itself.  You'd have to chose something like xyz.a.domain.com for a name.  I think the longer domain name appears confusing.

     

    So if your SIP domains are corp.contoso.com and sales.contso.com, and you've choosen ocsedge.corp.contoso.com as the Access Edge external FQDN, then your certificate should be configured as:

     

    SN=ocsedge.corp.contoso.com

    SAN=sip.corp.contoso.com, sip.sales.contoso.com

     

     

    Sunday, August 3, 2008 12:44 PM
    Moderator

All replies

  • I think that example si a bit confusing.  They are using the domain names of a.domain.com and b.domain.com as examples, so in your scenario you couldn't select a.domain.com for the Access Edge external FQDN, as that IS the name of the domain itself.  You'd have to chose something like xyz.a.domain.com for a name.  I think the longer domain name appears confusing.

     

    So if your SIP domains are corp.contoso.com and sales.contso.com, and you've choosen ocsedge.corp.contoso.com as the Access Edge external FQDN, then your certificate should be configured as:

     

    SN=ocsedge.corp.contoso.com

    SAN=sip.corp.contoso.com, sip.sales.contoso.com

     

     

    Sunday, August 3, 2008 12:44 PM
    Moderator
  • Ok, so I was correct in my thinking and the Microsoft documentation is incorrect.  I think they meant to put the external access edge FQDN is sip.a.contoso.com, not a.contoso.com.
    Sunday, August 3, 2008 1:49 PM
  • I'm not so sure that the documentation is incorrect, as much as it is very confusing.  I'm going to attempt to re-configure my lab in the exact scenario given on that page and if it ends up not being possible or the configurationg needs to be slightly tweaked I'll work with the OCS team to see if we can get that section re-worded.
    Sunday, August 3, 2008 2:07 PM
    Moderator
  •  Jeff Schertz wrote:
    I'm not so sure that the documentation is incorrect, as much as it is very confusing.  I'm going to attempt to re-configure my lab in the exact scenario given on that page and if it ends up not being possible or the configurationg needs to be slightly tweaked I'll work with the OCS team to see if we can get that section re-worded.


    You just said that the access edge fqdn cannot be the same name as the domain.  But now you're saying their example isn't impossible but they have the access edge fqdn the same as the domain name...
    Sunday, August 3, 2008 2:42 PM
  • That's the part I'm talking about, I'm not sure exactly what the behavior of the Edge configuration wizards is if you attempt to enter the domain name itself into the Acces Edge external FQDN field.  That might be the key to understanding what that sectino means.

    Sunday, August 3, 2008 3:16 PM
    Moderator
  •  Jeff Schertz wrote:

    That's the part I'm talking about, I'm not sure exactly what the behavior of the Edge configuration wizards is if you attempt to enter the domain name itself into the Acces Edge external FQDN field.  That might be the key to understanding what that sectino means.



    Oh I see.  Ok, let me know what happens when you test it out in a lab.  Thanks for your help Jeff.

    The way I plan on doing this in production is:

    External FQDN for Access Edge:
    sip.domain.com

    Certificate FQDN:
    CN = sip.domain.com
    SAN = sip.domain.com
    SAN = webconferencing.domain.com

    I plan on assigning this certificate to both Access Edge Servers behind F5
    I also plan on assigning this certificate to the Web Conferencing Servers behind F5.
    Both roles will live on the same servers
    Sunday, August 3, 2008 4:36 PM
  • I think that if you are using SANs, the first SAN has to equal the SN?

     

    Also, do you have to use sip.domain?  I've seen examples without the sip, rather using other names (e.g. ocs.domain).

     

    Wednesday, August 27, 2008 12:27 AM
  • Correct, it's best practice to enter the Subject Name as the first SAN entry.  Pre SP1 ISA servers really need this do to a 'bug' where only the first SAN entry is used.

     

    And there is no requirement to use the word 'sip' in the FQDN, it's just commonly chosen.  Is the analogous to smtp or mail as common mailserver prefixes.

    Tuesday, September 16, 2008 1:34 PM
    Moderator