locked
TLS port tcp - does this require external DNS srv records? Local CA authority cert with SAN good enough? Options RRS feed

  • Question

  • I'm trying to understand how Office Communicator Server 2007 handles TLS offsite..

    Is the default port 5061 TCP (or udp?)?  Does this require a DNS server record (external.. ie:  network solutions dns manager, which, doesnt seem to have the ability to add SRV records)..

    I've tried a client offsite.. setting the external server to wan1.domain.com.. i also tried wan1.domain.com:5061.. either way.. the client that is offsite wont connect (on site via tls is fine)..

    I'm also using an CA authority from 2003 server .. i've configured the cert with main name of server.domain.local and a SAN of wan1.domain.com   Is this all i need.. or do "internal" san capable/ca certs not do the job in this case...

    Thanks

     

    Thursday, October 25, 2007 1:01 AM

All replies

  • SVR records are used by clients to find your OCS (EDGE) server, you don't really need them but then you need to manually configure every client (that is not what you want)

     

    You do need an OCS EDGE server when you want internet access to your OCS servers

     

    Internal certificates work fine as long as your remote clients trust your internal ROOT CA

     

    Deli

    Monday, October 29, 2007 11:41 PM
  •  

    Actually, TLS communicates over port 443.

    If you configure your external clients to use "wan1.domain.com:443" it will most probably work.

    Port 5061 (TCP) on the external interface of the Edge server is used for federation.

     

    An internally issued certificate will do just fine in this case.

    Tuesday, October 30, 2007 12:17 PM
  •  Deli Pro-Exchange wrote:

    SVR records are used by clients to find your OCS (EDGE) server, you don't really need them but then you need to manually configure every client (that is not what you want)

     

    You do need an OCS EDGE server when you want internet access to your OCS servers

     

    Internal certificates work fine as long as your remote clients trust your internal ROOT CA

     

    Deli

     

    Does this mean i should somehow get the internal CA certificate installed on my pocketpc or offsite pc for this to work in TLS mode?

     

    I've tried doing the address:443 option with TLS, but it says cannot sign in ...

     

    I think i'm missing a few steps here.

     

    We dont have an Edge server yet.. is this edge server really needed for TLS..

     

    What about needing Edge for live meeting invitations sent to non domain people offsite.. is it a necessity (i tried opening firewall ports, no luck so far)?  If so.. does this mean ISA server is needed too?  Could the edge server be virtualized on another physical box with secondary nic with external public ip address.. or does virtualizing an edge/dmz server contradict the idea of security and all?

     

     

     

    Tuesday, October 30, 2007 8:03 PM
  •  Martijn Haverhoek wrote:

     

    Actually, TLS communicates over port 443.

    If you configure your external clients to use "wan1.domain.com:443" it will most probably work.

    Port 5061 (TCP) on the external interface of the Edge server is used for federation.

     

    An internally issued certificate will do just fine in this case.

     

    Actually.. just thought about it.. port 443 wont work for this server, as i already have port 443 open to another server.. i cant have 2 identical inbound rules..

     

    what about wan1.domain.com:5061?  Or could i just change the port somewhere in settings to something like 4433?

     

     

    Tuesday, October 30, 2007 8:05 PM