locked
Public IM on LCS2005 How Many Certs do I need? RRS feed

  • Question

  • I posted a few weeks ago on this and have not received a response.  I will try to explain again in case the post was confusing.

     

    I have setup public IM on LCS2005 before in a single domain environment.  However, now I have a scenario where I have one LCS2005 server and is accessible from the outside by the name sip.domainname.com.  Our single AD domain has users with many smtp domains, so our users sign into LCS with many different sip logins that correspond to their email addresses.  Do I need one certificate for sip.domainname.com and that will work for everyone or do I need a certificate for each domain that my users sign in with?

     

    Thanks and please ask if any clarification is needed.

    Wednesday, January 16, 2008 10:10 PM

All replies

  • You can only attach a single certificate to the Front-End or Edge Server, so mulitple certificates won't help any.

     

    This is where the Subject Alternative Name (SAN) field in the certificate comes into play.  Make sure that the certificate request includes all of your sip domains in the SAN field (it's a multi-valued field).  The returned certificate would look something like this:

     

    Subject Name: sip.domainname.com

    SAN: sip.domainA.com, sip.domainB.org, sip.domainC.net, sip.domainD.com

     

    Wednesday, January 16, 2008 10:47 PM
    Moderator
  • This would be the Access Proxy server.  So the certificate applies to the sip domain names?  What do you do if you have around 100 sip domains?  I don't see many cert providers that allow you to have that many SANS.

    Wednesday, January 16, 2008 11:37 PM
  • Wow, that's a lot of domains.  They are all defined as SIP domains in the OCS configuration?

     

    A quick search located this info:

     

     http://technet.microsoft.com/en-us/library/aa998840.aspx wrote:

    X.509 certificates can contain zero, one, or more DNS names in the Subject Alternative Name (SubjectAltName) certificate extension. DNS names in the SubjectAltName extension exactly match the restrictions of a DNS name. They must not exceed 255 characters and must consist of A-Z, a-z, 0-9 and a dash (-).

     

     

     

    Thursday, January 17, 2008 12:03 AM
    Moderator
  • Yes I work for a company that has about 100 companies under it and we handle everyone's messaging services.  We will have one Access Proxy that services about 50 domains as defined on the back end server under the Forest properties as sip domains.  Everyone's sip login matches their email address so there are many domains.  I know that some cert providers don't support SANS while Verisign supports them but only up to 20 per cert.  How do LCS hosting providers handle this?

    Thursday, January 17, 2008 8:18 PM