locked
Certificates for Edge server Questions RRS feed

  • Question

  •  

    I am having trouble understanding what 3rd party certificates I would need.  Please help me clarify.  I have a consoladated server with all three server roles with 3 different IP addresses.  I have no reverse proxy and no director.  I also only have one SIP domain. 

     

    Reference:

    Access Edge Bear.comany.com

    A\V  Lion.company.com

    Web Conference Tiger.company.com

    SIP Domain sip.company.com

     

    From the edge deployment guide "For each unique IP address on the external interface that you use for the Access Edge Server and Web Conferencing Edge Server, you will need a seperate certificate. ...An external certificate is not required on the A/V edge server"

     

    I interperated that to mean that I need 2 3rd party certs.  One for the Access Edge and one for the Web Conference.  I also interperated that to mean that I could use a internal CA for the A\V edge server. 

    Access Edge Cert SN: bear.company.com SAN: none

    Web Conference Cert SN: tiger.company.com SAN: none

    A\V Cert:  Internal CA with SN: lion.company.com

     

    But....

     

    I have read also about using 1 cert and using SAN field.  When using the SAN route I have seen the SN either:

    SN: Bear.company.com

    SAN: tiger.company.com, lion.company.com

     

    or

    SN: sip.company.com

    SAN: bear.company.com, tiger.compnay.com, lion.compnay.com

     

     

    So I am having trouble determining do I need 1,2,or 3 public certs.  I have read that you use the SAN field for multiple sip domains.  I only have 1 sip domain so does that mean I do not use the SAN field.  Does the A\V cert have to have to be 3rd party for outside party access?  Are any on my 3 scenarios doable?

     

    Wednesday, July 30, 2008 8:03 PM

All replies

  • You actually need 3 rd Party Certs if you include the reverse proxy

     

    The First 3rd Party Cert for Access EDGE

    The Second 3rd Party Cert for Conferencing EDGE

     

    The Third 3rd Party Cert for Reverse proxy

     

    The use of SANs is supposed to be for additional SIP Domains like company.com, companya.com and companyb.com

    Then you need all the names in the certificate

    SN : sip.company.com

    SAN : sip.companya.com, sip.companyb.com

     

    Note :

    I may work if you put all names in one cert but that is not the way to do it

    The EDGE Configuration wizard reads the Name from the cert and saves the configuration according to that name, if you have a different name then the wizard will replace with name on cert

    So then you have the same name for Access EDGE and Conferencing EDGE in the EDGE Config

    (In consolidated EDGE with only one External NIC that will probably work but not desired config)

    Wednesday, July 30, 2008 8:48 PM
  • I would recommend using a SAN certificate with the following configuration:

     

    The DN should be the external FQDN of your access edge server, in your case bear.company.com as long as external users/federated partners connect to bear.company.com. 

     

    The SAN names should be the rest (ie:  tiger.company.com, lion.company.com and sip.company.com)

     

     

    Wednesday, July 30, 2008 8:57 PM