locked
DNS - External Users RRS feed

  • Question

  • Hello - I'd like to post my DNS config for review, would appreciate confirmation that this will work (or not).

     

    I've successfully configured OCS 2007 Enterprise edition with my domain (xyz.com).  Internal meetings work, external meetings work, file sharing, etc.  It's all good.  Since we also support several email domains, we're going to have several SIP domains (one for each email domain).  xyz.com is our primary domain, abc.com is one of the other domains we want to support.  The sip.abc.com has been added as SubjectAltName on cert of the AccessEdge Server and the OCS Front-End Server (plus IIS).

     

    (External DNS)

    SRV _sipfederationtls._tcp.xyz.com                          5061                 sip.xyz.com

    SRV _sipexternaltls._tcp.xyz.com                             5061                 sip.xyz.com

    SRV _sip._tls.xyz.com                                              443                   sip.xyz.com

    SRV _sipfederationtls._tcp.abc.com                         5061                 sip.abc.com

    SRV _sipexternaltls._tcp.abc.com                            5061                 sip.abc.com

    SRV _sip._tls.abc.com                                              443                  sip.abc.com

    A sip.xyz.com                                                                                    111.111.111.111

    A sip.abc.com                                                                                   111.111.111.111

    A av.xyz.com                                                                                    111.111.111.112

    A meetings.xyz.com                                                                          111.111.111.113

    A ocsweb.xyz.com                                                                             111.111.111.114

     

    It's my understanding that the sip.<domain>.com entries are the only ones that need to exist for the second (abc.com) domain and that the internal front-end server will direct all other communications/protocols to the appropriate edge servers behind the scenes.

     

    Would appreciate comments, feedback, suggestions, etc.  Thank you.

     

     

    Thursday, May 17, 2007 1:38 AM

Answers

  • During DNS lookup, SRV records are queried in the following order:

    1.       _sipinternaltls._tcp.domain - for internal TLS connections

    2.       _sipinternal._tcp.domain - for internal TCP connections (performed only if TCP is allowed)

    3.       _sip._tls.domain - for external TLS connections

    4.       _sip._tcp.domain - for external TCP connections

    Based on what I see you have two SRV records for external one pointing to 443 and one pointing to 5061.  I am assuming you have change your external connections to 443 so the record for SRV _sip._tls.abc.com and SRV _sip._tls.xyz.com are correct.  I would change SRV _sipexternaltls._tcp.xyz.com  to SRV _sipinternaltls._tcp.xyz.com  for internal connections and the same for ABC.  Everything else looks good to me.

     

    Louis H

    OCS 2007 Beta Support Team

    Wednesday, June 13, 2007 9:17 PM

All replies

  • I have been trying to find more info about this and will keep looking.
    Can you give me an update on your configuration? Are you still having this problem? Have there been any changes?
    If you do not have this problem anymore, can you share your resolution with the forums?
    Thanks.
    Wednesday, June 13, 2007 8:43 PM
  • During DNS lookup, SRV records are queried in the following order:

    1.       _sipinternaltls._tcp.domain - for internal TLS connections

    2.       _sipinternal._tcp.domain - for internal TCP connections (performed only if TCP is allowed)

    3.       _sip._tls.domain - for external TLS connections

    4.       _sip._tcp.domain - for external TCP connections

    Based on what I see you have two SRV records for external one pointing to 443 and one pointing to 5061.  I am assuming you have change your external connections to 443 so the record for SRV _sip._tls.abc.com and SRV _sip._tls.xyz.com are correct.  I would change SRV _sipexternaltls._tcp.xyz.com  to SRV _sipinternaltls._tcp.xyz.com  for internal connections and the same for ABC.  Everything else looks good to me.

     

    Louis H

    OCS 2007 Beta Support Team

    Wednesday, June 13, 2007 9:17 PM