External SRV Records

All replies

• 

  

  0

  Sign in to vote

  Based on this webpage: http://www.eggheadcafe.com/software/aspnet/31853829/access-edge-server-and-sr.aspx I changed my SRV records to point to their repective domains A records becuase as the reply post said that you are not allowed to have an SRV record point to another domain name.

   

  SRV Record: _sipfederationtls._tcp.domaina.com

  Port:5061

  Host: sip.domaina.com

   

  SRV Record: _sipfederationtls._tcp.domainb.com

  Port:5061

  Host: sip.domainb.com

   

  SRV Record: _sip._tls.domaina.com

  Port: 443

  Host: sip.domaina.com

   

  SRV Record: _sip._tls.domainb.com

  Port: 443

  Host: sip.domainb.com

   

  A Record: sip.domaina.com

  Whose IP address is: 1.1.1.1

  A Record: sip.domainb.com

  Whose IP address is: 1.1.1.1

   

   

  I now get an error when connecting "There was a problem verifying the certificfate from the server" which leads me to believe the SRV records are working correctly now.  However the SSL cert is for sip.domainb.com not sip.domaina.com.  When I ran through the OCS Configure Certificates for the Edge Server my Subject name is sip.domainb.com and my Subject Alternate Name included sip.domaina.com along with my other local sip FQDNs so I shouldn't get the certificate error above right?  I shouldn't have to delete the replace the cert with one that is of sip.domaina.com correct?  What should I try next?

   

  Friday, May 16, 2008 8:14 PM
• 

  

  0

  Sign in to vote

  
  
  The certificate whould have sip.domaina.com either as a subject name or in SAN...
  
  
  
  Regards,
  R. Kinker
  MCTS - LCS 2005, MCTS - OCS 2007
  http://www.ocspedia.com
  http://www.itcentrics.com
  

  Saturday, May 17, 2008 6:11 PM
• 

  

  0

  Sign in to vote

  Is there anyway to check what was in the subject alternative name on the server?  I am 99% sure that sip.domaina.com was in the list of subject alternative names.

  Monday, May 19, 2008 12:28 AM
• 

  

  0

  Sign in to vote

  Just open the certificate, go to the Details tab, and look at the Subject Alternative Name property.

   

  Monday, May 19, 2008 12:31 AM

  Moderator
• 

  

  0

  Sign in to vote

  Looking at the certificate in Certificate MMC snap-in, I don't see a Subject Alternative Name, maybe that could be the problem?  I know that things were listed in it when I generated the request.  Is there something special I need to do with Verisign to get that field added to the cert?  Obviously I will need to generate a new one, just want to make sure that when I do it, I get the correct info in.

   

  Monday, May 19, 2008 2:16 AM
• 

  

  0

  Sign in to vote

  I'm sure you did have it in the request - the certificate vendors ignore the SAN unless you are purchasing a certificate that supports SANs.  For Verisign you must purchase a Managed PKI offering (https://www.verisign.com/ssl/buy-ssl-certificates/multiple-ssl-certificates/index.html).  You may want to investigate Entrust - they offer a UC certificate with up to 10 SANs for about $1100.  Others have even reported that you can regenerate the certificate with new SANs if your needs change during the life of the certificate (I haven't personally tested this).  Just make sure that your Access Edge name is the subject, otherwise you may have issues with federation.

  Monday, May 19, 2008 3:26 AM

  Moderator
• 

  

  0

  Sign in to vote

  Thanks for your help Mike.  I think what we will do is just change everything to domaina.com and get rid of the domainb.com stuff.  Can I leave the webcon.domainb.com and av.domainb.com or should those be switched to domaina.com as well?  If I change the URL, I assume I need to redo the setup of the EDGE box in order to redo federation request for public IM?

   

  Monday, May 19, 2008 11:32 AM