locked
Certificate for Client Systems?? Necessary?? RRS feed

  • Question

  • Hi All,

     

    We are planning to deploy a OCS 2007 for 1000 users in consolidated enterprise enviornment. It will have all the fetaures like

     

    IM, Presence,A/V, Web Conf, Voice and Public IM.

     

    Just wanted to know ,do we need certificate for all the 1000 clients ?

     

    I know i need to have certificate for all the OCS servers. Can i do away with the user/client certificates.

     

    We do not want to use windows 2003 CA and have a tie-up with verisign for the certs.

     

    Thanks in advance.

     

    Cheers

    AP

    Thursday, November 15, 2007 6:39 AM

All replies

  • You only need to have the clients trust the Certificate Authority that issued the server certificates

    If that is a public this is automatic

    If this is a private certificate authority the clients download the CA Root certificate automatically if you installed an Enterprise root Certfication authority

    If this is a private and no enterprise root CA then you need to configure a group policy to automatically disctribute the root certificate to the clients

     

    Clients only use TLS

    Server must use MTLS (mutual TLS)

     

    Deli

     

    Friday, November 16, 2007 4:00 PM
  • HI Deli,

     

    Thanks for the reply. Could you tell me, is it possible to not all use external public CA and only use enterprise CA for all the certificate requirements for OCS.

     

    My specific case is for edge servers. And what should i take care, when planning certificate requirements if the domain name and external reverse proxy name does not match My specfic case is :

     

    Client have an AD domain ABC.com and the external domain ABCNET.com. What should i take care for such scenario.

     

    Regards

    AP

    Monday, November 19, 2007 7:58 AM
  • You can use an internal CA to issue all certififcates for OCS.  You'll need to make sure that any external clients have the internal CA's root certificate in the Local Computer\Trusted Root Certification Authorities store.

     

    Regarding the domain name, you can issue two seperate certificates, one using the standard server or enterprise pool FQDN for Front-End-to-Proxy Server communications, and a second certificate using the external Web Farm FQDN as the Service Name for the Client-to-Proxy Server portion of communications.

    Monday, November 19, 2007 2:54 PM
    Moderator
  • Thanks Jeff for the reply.

     

    If i use only TCP (No certificate ) for the internal clients. Are there any impact on the features like Im/Presence, A/V and Web Conf etc.

     

    Regards

    AP

    Tuesday, November 20, 2007 5:20 AM