PIC and multiple SIP domains RRS feed

  • Question

  • I have heard that PIC providers ignore SAN names in a certificate.  I also know that for each SIP domain we have, we need an SRV record that points to an A record which should be a name that exists on the certificate.  But if we have multiple SIP domains, some of those domains are going to end up being in the SAN name of the certificate.  So how do we do PIC for our multiple SIP domains?
    Monday, September 1, 2008 12:13 AM

All replies

  • That is the way to do it, so I am curious where you heard that rumor?



    Monday, September 1, 2008 9:06 AM
  • From an OCS Architect and a PSS Escalation Engineer. That the PIC providers ignore SAN names.  That's why I'm curious how you set up PIC when you have multiple SIP domains.  Perhaps you just tell PIC vendors the name of your Access Edge (the Common Name of the cert) and a list of all your SIP domains).  Then the PIC providers know that for these specific SIP domains, they have to communicate with your Access Edge directly with the Common Name. Perhaps that is what it means.

    I haven't set up PIC yet, so dunno what the process is like setting it up.
    Monday, September 1, 2008 2:12 PM
  • That might be right

    I found some info on the OCS Team blog


    * Enhanced Federation does NOT support multiple domains. Customers with multiple domains will have to choose the 1 domain they want for Enhanced Federation.  





    If you need multiple domains it seems that you need multiple Access server (one for every domain that you support)

    Monday, September 1, 2008 3:49 PM
  • That's with enhanced federation.  PIC uses direct federation.  So if you have 3 SIP domains:

    You will probably have the CN/SN of your Access Edge External FQDN be something like sip.a.com.  When you do PIC, you tell them that for those 3 domains, the FQDN for your Access Edge is sip.a.com.  Then the PIC providers know that for these 3 domains, they need to talk to sip.a.com.

    If PIC providers end up moving towards enhanced federation where they start looking at SRV records, those SRV records will have to point to SAN names as an SRV record for A.com can't point to a DNS name for B.com.  Because of that, PIC providers would have to support SAN names if they moved towards the enhanced (open) federation model.

    And yes, PIC providers ignore SAN names and only care about the CN/SN.

    Hope that helps.
    Tuesday, September 2, 2008 3:51 PM