Ocs Edge Certificate Error
Contents |
· Leave a Comment Typically in a basic deployment there are times when Windows workstations and servers which renew ocs 2007 r2 certificate are not members of the internal Active Directory domain need office communicator 2007 certificate error to communicate with OCS servers. This could be attempting to sign-in to Office Communicator installed on a
There Was A Problem Verifying The Certificate From The Server Communicator 2007
test workstation on the internal corporate network, as well as a perimeter-network server (like ISA or and OCS Edge server) attempting an MTLS connection to an
Communication Server Certificate
internal OCS server. This also applies to external workstations trying to sign-in to an Access Edge service which has been configured with a private internal certificate instead of a publicly-trusted third-party cert. By default, when a Windows computer (Workstation or Server OS) is a member of an Active Directory domain which has an internal ocs certificate Enterprise Certificate Authority installed in it that computer automatically trusts that certificate authority. If a multi-tier CA deployment exists, then the client will have already imported all Root and Subordinate CA certificates. This topic has been covered many different times for other PKI-leveraging products, and is discussed in multiple places throughout the OCS product documentation. But it’s a pretty common stumbling-block (seen in the TechNet support forums very often) for users and administrators who are new to the idea of using certificates. So here’s a detailed walkthrough to show how to export certificates from certificate authorities into non-domain-joined workstations and servers. Certificates Console By default Windows does not include a published Administrative Tool for accessing the certificates store, you must first create the console by adding an MMC snap-in. This process is the same for all current Windows operating system types and versions, and lets you view and manage the certificates on the local computer. It’s important to note
Partners Adobe IBM Microsoft Oracle Salesforce Cloudera Google Hortonworks Informatica Insite Liferay Magento Pegasystems Red Hat Sitecore Splunk TIBCO Work Work Data Design Marketing Operations Strategy Technology Perficient Digital Insights Insights Blogs Events Guides Webinars About Investors Careers Contact Microsoft Blog More on OCS Edge Server Certificates by PointBridge Blogs on September 22nd, 2009 | 9 minute read There are a pair of related Office Communications Server 2007 topics I wanted to expand on from previous blog articles that I’m still seeing come up quite often http://blog.schertz.name/2009/08/ocs-managing-ca-certs/ in both day-to-day projects and in the Microsoft discussion forums. One of them is centered around adding and supporting additional SIP domains. And because the two most common topics in OCS-related issues are Certificates and the Edge Server, it makes sense that deploying certificates on an Edge Server might just be the other topic. Although the http://blogs.perficient.com/microsoft/2009/09/more-on-ocs-edge-server-certificates/ screenshots and details will be specific to the more current R2 product, all of these requirements and recommendations apply equally to both 2007 releases. Edge Server Certificates So it is probably a good idea to first review the certificate requirements and spell out an important point that is not always clear to the first-time reader of the documentation. Way back in November 2007 I posted an in-depth article that covered many facets of the Edge Server which included this very breakdown of certificate requirements: Internal Interface Issued by internal Windows Enterprise CA Subject Name is the server's FQDN (e.g. ocsedge.contoso.local) Access Edge Server Issued by trusted third-party certificate authority Subject Name is the FQDN used by the client to connect (e.g. sip.contoso.com) Web Conferencing Edge Server Issued by trusted third-party certificate authority Subject Name is unique FQDN (e.g. webconf.contoso.com) A/V Authentication Edge Server Issued by internal Windows Enterprise CA Subject Name is unique FQDN (e.g. av.contoso.com) This outline mirrors the requirements spelled out in the Certificate Re
Server Certificates: What's New & Tips Like its predecessor, Microsoft OCS, Microsoft Lync Server 2010 relies heavily on PKI certificates to allow servers to verify their identity in TLS connections http://blog.insideocs.com/2010/11/02/microsoft-lync-server-certificates-whats-new-tips/ with clients, and in mutual TLS (MTLS) connections to other servers. Unlike OCS, https://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/ certificates cannot be viewed or managed directly in the management console. Nowhere in the Lync Control Panel can you view the certificate details by right-clicking on the properties of a Lync server role. They are not present in the new Lync Topology Builder either. Viewing Certificates in Lync Server
There are certificate error two primary ways to see which certificates are in use on a particular Lync server, and the associated certificate details: On any Lync server role, run the Lync Server Deployment Wizard, click on “Install or Update Lync Server System”, and run Step 3: Request, Install or Assign Certificates. This will bring up the Certificate Wizard which will list and manage all the certificates ocs edge certificate on this Lync server. You can also request a certificate from an internal CA, or assign an existing certificate from this wizard. Use the PowerShell cmdlet Get-CsCertificate from the Lync Management Shell. TIP: you need to view all properties on the certificate objects returned to see the SAN’s. You can do this with a Get-CsCertificate | fl –property * Note: by default, a Standard Edition Lync Front-End server will use 3 certificates to support sign-in and internal and remote access to Web Services (formerly known as Web Components): Default Certificate: the certificate used for clients to logon to the Front-End Web internal certificate: this certificate is used for HTTP/HTTPS requests to the internal Web Services (including Simple URLs). Web external certificate: this certificate is used when remote clients (outside the firewall) access the web services via the reverse proxy. In many cases you can use the same certificate for different purposes. Tip - if you need to quickly and remotely see the details of a particular port on a Lync (or OCS) server, you can use my Remote UC Troubleshooting Tool (RUCT) V1. The "Certificate Information" tab allows youarticle and the next I am going to add an Edge server and an XMPP gateway to an existing Lync environment. All articles moving forward will be built on the RTM bits of Lync, but to build the Front End server for this environment I followed the original article here, the only difference is the name of the server and the domain. The lab has the following servers and IPs: Server Name Role IP Address LyncDC.lyncguy.local Domain Controller/DNS/CA 10.255.106.160 LyncFE.lyncguy.local Lync Standard Edition Front End 10.255.106.161 Lyncedge.lyncguy.local Lync Edge server – not domain joined 10.255.106.162 (internal NIC) The active directory domain name for this lab is LyncGuy.local, with the public sip domain LyncGuy.com. I prefer to do these labs with different name spaces for AD and the public domain because that is the most common scenario I’ve run into in the real world. To make this work you have to have an internal copy of the public zone and an external copy; this is commonly referred to as “split brain DNS”. To start with I have to create a copy of my public zone on my internal DNS server so internal clients can reach the Lync server directly. To accomplish this I’ve created the following records in DNS: Record Type DNS Entry IP Address A meet.lyncguy.com 10.255.106.161 A dialin.lyncguy.com 10.255.106.161 A sip.lyncguy.com 10.255.106.161 We also need to create an SRV record for client automatic sign-in. The new record will be for “_sipinternaltls._tcp.lyncguy.com” and will point to sip.lyncguy.com on port 5061. ***Note – you can utilize another name here such as the Front End servers name, however the domain must match the sip domain. You also must have a SAN entry on the front end certificate to match this entry*** Now that our DNS zone is in order we can plan for our edge server. In this example I will be using 1 internal IP, 3 DMZ IPs and 3 Public IPs. Instead of placing the public IPs directly on the edge servers public NIC, I will NAT the public IPs to the pri