locked
Certs for Consolidate configuration RRS feed

  • Question

  •  

    I have deployed two internal OCS 2007 servers. One is my IM and internal services, second one is my Mediation Server. All works well internal. We want to deploy one server in our DMZ named bccedge. and install all three edge roles on it.

    If the server is named BCCEDGE.domain.com, how many certs do i need from my Public CA?

    Do i need to apply any certs to the Internal connection of the Edge server?

     

    As i have seen in previous posts i take it some subject alternatives can be used so only one cert has to be purchased? Do i need to by a just a normal cert or a Unified Communications Certificates (UCC)?

     

    Do i need to have more than two NICS in the Edge server or should i have one for each edge role and one for internal for a total of 4 nics?

     

    In configuration of the EDGE server the screen that prompts for which port and ip address for each role, do i use the default ports?

    Saturday, July 12, 2008 6:05 PM

All replies

  • If you have Internal CA, you can use it for internal interface.  For external interface you have to have public certificate.  You will have to use alternative names. 

     

    We bought certificate from www.certificatesforexchange.com.  This was the cheapest that we found.  You will have to buy Multiple Domain (UCC) certificate.  It allows to have up to 5 alternative names. 

     

    We have only 2 NICS.  One public, another one is private.  Public is connected to the firewall that is setup to work in transperent mode.

     

    Thank you.

     

    Saturday, July 12, 2008 9:35 PM
  • so we need to buy UCC (multiple domain cert) rite?how much it cost u?i just want to compare which cert should i choose
    Sunday, July 13, 2008 2:53 AM
  • $59.99 per year.  Why don't you go to that website and check it?

     

    Sunday, July 13, 2008 3:16 AM
  • thanks..i just check it...yeah it is USD59.90...everythins work fine?
    Sunday, July 13, 2008 3:35 AM
  • We use it for quite some time.  Works great.

     

    Sunday, July 13, 2008 3:46 AM
  •  

    In my case currently all my clients internally connect to OCS via group policy forcing the Maunal Configuration to internal serrver by the name TLS port EEPool1.internal.domain.com.

    What will be the name I need to force through group policy?

    Server name was going to be BCCEDGE

     

    I take it the below will be my Alternative names?
    sip.domain.com
    webconf.domain.com
    av.domain.com

    Sunday, July 13, 2008 7:58 PM
  • You should use Automatic configuration for your clients

    Implementing the Sipinternaltls SRV record is really not hard!

     

    You don't need an external certificate for av.domain.com (you can use an internal cert)

    You should also have two different certs for sip.domain.com and webconf.domain.com because OCS EDGE checks the names in the cert and changes the configuration to the common name or the first san in the list

    (it works with both sip.domain.com and webconf.domain.com in the cert but I guess it is not best practice)

     

    You can have a UCC cert or sip.domain.com and use the SAN for the reverse proxy and maybe other sites you want to publish with reverse proxy

     

    Sunday, July 13, 2008 10:38 PM
  • We have 1 Edge server.  Everything is installed on this server.  As I said, we have 2 NICs on that server.  One is for internal connection and one is for public.  Public NIC has 3 public IP addresses.  Public ceriticate that we use has 3 alternative names.  And it works.  Only one public certificate does everything.

     

    Sunday, July 13, 2008 11:34 PM
  •  Tim Doerr wrote:

     

    I have deployed two internal OCS 2007 servers. One is my IM and internal services, second one is my Mediation Server. All works well internal. We want to deploy one server in our DMZ named bccedge. and install all three edge roles on it.

    If the server is named BCCEDGE.domain.com, how many certs do i need from my Public CA?

    Do i need to apply any certs to the Internal connection of the Edge server?

     

    As i have seen in previous posts i take it some subject alternatives can be used so only one cert has to be purchased? Do i need to by a just a normal cert or a Unified Communications Certificates (UCC)?

     

    Do i need to have more than two NICS in the Edge server or should i have one for each edge role and one for internal for a total of 4 nics?

     

    In configuration of the EDGE server the screen that prompts for which port and ip address for each role, do i use the default ports?

     

    Hello,

     

    MS Best practices say you need a extra NIC for the A/V role. Depending on the amount of media traffic you are expecting you can ignore this best practice or not.

    Minimum is 2 NIC (one internal, one external) with a recommended extra NIC for AV.

     

    You should use the default ports, yes, unless your short on IPs on your DMZ.

     

    For the certificates, if you'r only supporting one sip domain you need a certificate for the FQDN of the external interface as long as you are using auto logon (by using SRV records). I always put a extra SAN for sip.<domain> in case my SRV record doesnt work.

    For the internal interface you can generate a internal certificate with you CA and import your CA root to the Trusted Root CA folder.

     

    Hope it helps.

     

    Regards,

     

    Hugo Picão

    Monday, July 14, 2008 10:27 AM
  •  Hugo Picao wrote:
    MS Best practices say you need a extra NIC for the A/V role.

    You might be right, I do not want to argue.  I set everything up based on MS documentation and did not see this recommendation.  Please point me where it says that it recommends additional NIC.  If this is correct, I will fix our setup.

    Monday, July 14, 2008 1:47 PM
  • I do not believe the Microsoft documentation ever comes out and clearly states that a separate NIC is required for the A/V Edge role, as it is not a requirement, per se.

     

    Due to inherent TCP networking basics if you are using NAT on the Access and Webconf roles, then a separate physical adapter will be required for the A/V Auth role as a single Windows network adapater cannot live in two separate IP subnetworks (since the A/V Auth role must have a public IP address).

     

    But if all three Edge roles are assigned valid, fully routable Public IP addresses, then you can assign all three external Edge roles to that same adapter.  (A second adapter will be required for the internal interface.)

     

    That begin said, my Matt McGillen and I have both seen a number of real-world scenarios where Edge services have either failed or performed poorly in certain configurations.  Here are a few of them:

     

    http://blogs.pointbridge.com/Blogs/mcgillen_matt/Pages/Post.aspx?_ID=20

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=15

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19

     

    Monday, July 14, 2008 3:32 PM
    Moderator
  • Hi Igor,

     

    i've been looking in the documentation that i used but, other than the reason Jeff posted, i haven't found exacly saying that they recommend a extra nic for AV.

    Maybe i missunderstood something when i read the 45 OCS docs

     

    Scrap that extra NIC from my last post then

     

    Monday, July 14, 2008 3:43 PM
  • I tried to use NAT for Access and Webconf but it would not work.  I even had open call with MS and they told me not to use NAT at all. 

     

    As soon as I removed NAT, everything works.  And MS told me that I could remove the trird card that I had configured for A/V and combine everything on one NIC.

    Monday, July 14, 2008 3:47 PM
  • That sounds like something specific to that implementation was causing issues.  there are so many network-related possibilities external to OCS itself that complicates the process.  NAT is both supported and definitely works for the Edge Access and Web Conferencing roles, but if MS PSS told you to try removing NAT for that install I'm sure there was good reason.
    Monday, July 14, 2008 4:02 PM
    Moderator