locked
What Names should OCS Certificate have? RRS feed

  • Question

  • Hi All,

    I deployed a environment with Exchange 2007 Server, OCS 2007 Enterprise (Consolidated Topology) and OCS 2007 Edge Server (Consolidated Topology).

    My Internal Domain is cercorp.com and my external domain is cercorp.com.pe.

    The Pool Name is ocspool.cercorp.com.

    The Internal web Farm FQDN is ocspool.cercorp.com and the External Web Farm FQDN is owc.cercorp.com.pe.

    The SIP account for all user is Username@cercorp.com.pe

    What Names should have OCS 2007 Consolidated Server?

    I put this:

    CN: ocspool.cercorp.com
    SAN: ocspool.cercorp.com
            sip.cercorp.com.pe
            srvocs.cercorp.com   ---> FQDN of OCS 2007
            owc.cercorp.com.pe

    Is this OK?

    Thanks.

    Monday, March 9, 2009 8:04 PM

Answers

  • Yes,  ISA Server 2006 supports SAN field values with SP1 (pre-SP1 installation will only process the first entry in the SAN field).
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, March 11, 2009 3:17 PM
    Moderator

All replies

  • The certificate on the internal Front-End server does not need the external Web Farm FQDN on it.  The important element is that you have the FQDN of the A record referenced by an SRV record included in the SN/SAN fields, which appears to be ocspool.cercorp.com, which if fine in this example.  Having additional unnecessary fields in the SAN will not normally cause any problems.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, March 9, 2009 8:10 PM
    Moderator
  •   Hi Jeff,

    Thanks for Reply,

    The OCS Edge Server in consolidated Topology needs 4 NICs for the Following:

    - 1 NIC - OCS Edge Server Private Interface.
    - 1 NIC - OCS Access Edge Server Public Interface.
    - 1 NIC - OCS Web Conferencing Edge Server Public Interface.
    - 1 NIC - OCS A/V Edge Server Public Interface.

    In the deployment of OCS Edge Server is necesary create certificate for OCS Edge Server Private InterfaceOCS Access Edge Server Public Interface and OCS Web Conferencing Edge Server Public Interface.

    So, What Names should have Internal NIC certificate and NIC- Acces Edge Server Certificate?.

    to OCS Edge Server Private Interface I put FQDN of OCS Edge Server on the Certificate:

    CN: srvedge.cercorp.com --> OCS Edge Server Name

    to OCS Access Edge Server Public Interface  I put the Following:

    CN: sip.cercorp.com.pe

    SAN:sip.cercorp.com.pe
            owc.cercorp.com.pe
            srvedge.cercorp.com



    In OCS Access Edge Server Public Interface  CERTIFICATE is necesary put the External Web Farm FQDN (owc.cercorp.com.pe)?

     Thanks.

    Jose Osorio R.
    Monday, March 9, 2009 9:32 PM
  • Try taking a look at this article:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, March 9, 2009 10:23 PM
    Moderator
  • Hi Jeff,

    Is posible install a SAN certificate on Web Listener (ISA 2006 Server) ?, because we don't want to buy  third-party certificate.

    Thanks.

    Tuesday, March 10, 2009 4:04 AM
  • Yes,  ISA Server 2006 supports SAN field values with SP1 (pre-SP1 installation will only process the first entry in the SAN field).
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, March 11, 2009 3:17 PM
    Moderator
  • Hi Jeff,

    Thanks for Reply,

    So I have to re create my OCS 2007 Front-End Like This:


    CN: ocspool.cercorp.com
    SAN: owc.cercorp.com.pe
            ocspool.cercorp.com
            sip.cercorp.com.pe
            srvocs.cercorp.com   ---> FQDN of OCS 2007


    Now with this certificate I can Publish  by ISA 2006 SP1.


    Thanks.

    Jose Osorio R.
    Wednesday, March 11, 2009 10:40 PM