locked
About Edge and Certificicates within a Test Setup RRS feed

  • Question

  • Hi there,

    I am trying to setup a testenviroment at home within some vmware hosted servers, and get to know this product well so i can soon deploy it at my customers locations.

    Now it all seems pretty straight forward, expect for the following:

    1. Is it possible to deploy the external edge server on your same standard server installation? (Mainly for testing purposes, my pc cannot hold more vmware servers atm to create another one).
    2. Is it possible to use one multiple certificate domain for all edge and se servers?
    3. If not, i should use internal certificates for my se and internal edge server. If so, and i setup my own ca, will the ca automaticly disitribute the certificates to all my domain member systems, so they will automaticly trust the certificates? Or should i deploy the root certificate of the CA somehow to all the clients?

    Thanks a lot in advance.

    Best Regards

    Sunday, July 20, 2008 9:37 AM

All replies

  • 1. No.  The installation blocks coexistence of SE and Edge roles.

    2. Yes, you an use a single certificate for all servers as long as you have the correct Subject Alternative Names (SANs) defined in the certificate.

    3. It's more relevant to a production deployment if you install a CA in your test environment and issue the certificates with that CA.  Domain-joined clients will automatically trust an Enterprise Root CA via GPO.  After the CA is deployed run gpupdate on your workstations to pull down the certificate.  If your workstations are not domain joined then you can manually install the CA certificate onto them.  The easiest way to do this is via http://<caservername>/certsrv.  To have this option available make sure you have IIS installed on the domain controller before you install the CA service.

    Sunday, July 20, 2008 4:06 PM
    Moderator
  •  Mike Stacy wrote:

    1. No.  The installation blocks coexistence of SE and Edge roles.

    2. Yes, you an use a single certificate for all servers as long as you have the correct Subject Alternative Names (SANs) defined in the certificate.

    3. It's more relevant to a production deployment if you install a CA in your test environment and issue the certificates with that CA.  Domain-joined clients will automatically trust an Enterprise Root CA via GPO.  After the CA is deployed run gpupdate on your workstations to pull down the certificate.  If your workstations are not domain joined then you can manually install the CA certificate onto them.  The easiest way to do this is via http://<caservername>/certsrv.  To have this option available make sure you have IIS installed on the domain controller before you install the CA service.



    Great reply, just what I was looking for. Thank you very much!
    Sunday, July 20, 2008 5:00 PM



  • I would strongly recommend to use different cert for SE and Edge. Certificate with SAN is not supported on the Edge Server.


    Regards,
    R. Kinker
    MCSE 2003 (Messaging), MCTS - LCS 2005, MCTS - OCS 2007
    http://www.ocspedia.com
    http://www.itcentrics.com/LCS_Home.htm
    Monday, July 21, 2008 5:27 PM
  • Ok thank you! I will make sure to follow up on your advise.
    Wednesday, July 23, 2008 3:42 PM
  • Kinker,

     

    Your statement "Certificate with SAN is not supported on the Edge Server" is not accurate.  Not only is it supported, it's necessary in certain cases - for example, when you use multiple SIP domains.

    Wednesday, July 23, 2008 6:11 PM
    Moderator
  • The thing to be careful with using a SAN cert is you need to be careful what the common name is on the certificate.  It needs to be the address that others will connect to. (ie: sip.domainname.com).  If you use the internal server name and dont have a DNS record on the outside the access edge server of your federated partner will not be able to contact it. 

     

    Mark

    http://www.unplugthepbx.com

     

    Wednesday, July 23, 2008 7:00 PM
  • The other "gotcha" is if you plan to use federation the subject name of the certificate must match the name that you specify in your _sipfederationtls record.

     

    Wednesday, July 23, 2008 8:13 PM
    Moderator
  • We need SAN and it is supported on the Access Edge external certificate.

    But having web conferencing edge server external url in the SAN list rather than subject naem creates problem intermittently.

    and as you said that the federation process also has some reservation regarding SAN.

    Over all we can say that SAN is only recommended for Remote Access purpose.

    I have encountered so many problems with other Edge services using SAN.



    Regards,
    R. Kinker


    Thursday, July 24, 2008 7:03 AM