SIP Domains and Subject alternate name Certs RRS feed

  • Question

  •   Does anyone know if you have to create a new certificate request every time you add a SIP domain to your access edge server and submit it to your CA (Entrust.net in this case)? If their is a way to add additional SIP domain names to the  Subject alternate name field in the certificate so it will display under the External Interface settings please let me know. We add domains constantly and this will be pricey. Thanks in advance.
    Wednesday, December 24, 2008 6:27 PM

All replies

  • Hi,

    From a certificate's perspective (or rather from the authority that creates them) it isn't that easy. First of all they will need to revoke your current certificate and then issue you a new one with the SIP domain you just added. It's doable but you need to see with your provider if they allow you to do this within the agreed price but I guess they won't.

    Either you do an assessment and get all your SIP domains in your certificate when you do your first request, or get your users to use a single/several SIP domains OR forget about DNS Srv records and automatic configuration. The reason you need the certificate with all the SIP Domains is because you need to provide an A-record of that SIP domain along with some SRV records so that your clients connecting with that specific SIP domain can automatically discover your OCS Infrastructure.
    If you forget about the automatic discovery and manually configure your clients with a specific FQDN then only this specific FQDN needs to be configured on the certificate regardless of the SIP Domain used to logon with. However as you might guess this has several disadvantages.

    Probably not the answer you where looking for but this is how things are today..

    Sincerely, Tonino Bruno Belgian Pro-Exchange Community http://www.pro-exchange.be
    Saturday, December 27, 2008 12:59 PM
  • Thanks for the reply can you tell were it is documented that for manually configure clients with a specific FQDN then only this specific FQDN needs to be configured on the certificate regardless of the SIP Domain used to logon with. That means i don't have to add all the sip domains to the certificate correct? We currently use the manual configuration.
    Monday, December 29, 2008 5:30 PM
  • Basically all the info you need is in the planning guide and other OCS official documentation.

    If you think of it you need to create srv record for your SIP domain and have it point to an dns record that is within the same DNS domain. So _sipexternaltls._tcp.sipdomain.com has to point to ocsaccessedge.sipdomain.com. So when communicator connects to ocsaccessedge.sipdomain.com the client will verify the certificate it's receives from the server and wants to match it with the FQDN it asked to connect to. Therefore these requirements add up to the fact that your Access Edge certificate needs to have the FQDN for every SIP Domain that you want to use in your organization. IF you don't connect through DNS srv records and simply configure your communicator client to connect to ocsaccessedge.siphoster.org then your communicator client will verify the Edge server certificate for that specific FQDN. So now on a TLS level you have made your connection to the OCS Server and you can sign-in with any SIP domain your OCS organization accepts.

    So if you need DNS Automatic discovery of your OCS infrastructure then you need to configure all possible combination of SIP Domains in your access edge certificate. If you can live with the fact that you configure the clients manually with a specific FQDN then there is no need to do this and a certificate with only a specific FQDN is sufficient.

    Tonino Bruno | Belgian Pro-Exchange Community | http://www.pro-exchange.be
    Monday, December 29, 2008 10:09 PM
  • How would you get the PIC portion working particularly for Yahoo?

    Thursday, January 22, 2009 4:44 PM
  • Specifically what part?  You have to at least (1) purchase PIC licenses, (2) configure external DNS records, and (3) assign a third-party trusted certificate.  If you have multiple SIP domain you should at least have your default SIP domain (which is the namespace your Edge external services should be set to) configured with SRV/A records and on the certificate SN/SAN.  That is the identity used by PIC partners to allow traffic from your OCS environment (e.g. sip.mydomain.com).
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, January 22, 2009 6:36 PM