OCS 2007 R2 Consolidated Edge server configuration – Part II (Certificates and DNS records)

  • Article

We need to configure the certificates on both the Internal and External interfaces of the Edge server. To summarize on the certificates that I had used for my consolidated Edge server setup –

  • For EDGE server External certificates

Access cert :-

subject name                                    sip.domainname.com

subject alternate name                 checkbox to add local edge server FQDN name

Webconf cert :-

subject name                                    webconf.domainname.com

subject alternate name                checkbox to add local edge server FQDN name

AV cert : -

An additional certificate is required for audio/video (A/V) authentication. The private key of the A/V authentication certificate is used to generate authentication credentials. This can be an internal certificate, but as a security precaution, you should not use the same certificate for A/V authentication that you use for any of the Edge Server services. The same A/V authentication certificate must be installed on each Edge Server if multiple servers are deployed in a load-balanced array. This means that the certificate must be from the same issuer and use the same private key.

  • ExternalWebfarmfqdn should be created using lcscmd.exe. In your environment, the command should be

  lcscmd /web /action:updatepoolurls /externalwebfqdn:ocsexternal.domainname.com

          /poolname:r2pool01xx

· For the certificate for this external webfqdn, you can generate a new certificate from your internalCA and configure that cert on your ISA server that mentions OCS external name

“You need to install the root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (that is, the IIS server running your Office Communications Server Web components) on the server running ISA Server 2006. You must install a Web server certificate on your ISA Server. This certificate should match the published FQDN of your external Web farm where you are hosting meeting content and Address Book files. If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN.”

https://technet.microsoft.com/en-us/library/dd441312(office.13).aspx

Required DNS records for the Edge server setup -

Refer this link for details - https://technet.microsoft.com/en-us/library/dd425138(office.13).aspx

Internal/ external Server DNS settings
External Edge server
To support DNS discovery of your domain by federation partners. An external SRV record for one Edge Server for _sipfederationtls._tcp.<domain>, over port 5061 (where <domain> is the name of the SIP domain of your organization). This SRV should point to an A record with the external fully qualified domain name (FQDN) of the Access Edge service. If you have multiple SIP domains, you need a DNS SRV record for each domain. The Edge Server you choose for this SRV record will be the Edge Server through which all federation traffic will flow.
To support external user access through Microsoft Office Communicator and the Microsoft Office Live Meeting client. A DNS SRV record for _sip._tls.<domain>, over port 443, where <domain> is the name of your organization’s SIP domain. This SRV record must point to the A record of the Access Edge service. If you have multiple SIP domains, you need a DNS SRV record for each domain—each SRV record can point to a different Edge Server, if you want, to spread the workload.
 
If multiple DNS records are returned to a DNS SRV query, the Access Edge service always picks the DNS SRV record with the lowest numerical priority and highest numerical weight. If multiple DNS SRV records with equal priority and weight are returned, the Access Edge service will pick the SRV record that came back first from the DNS server.
To resolve domain lookups for the Access Edge service. For each supported SIP domain in your organization, an external A record for sip.<domain> that resolves to the external IP address of the Access Edge service (or to the virtual IP address used by the Access Edge services on the external load balancer, if you have multiple Edge Servers deployed). If a client cannot perform an SRV record lookup to connect to the Access Edge service, it uses this A record as a fallback.
To resolve domain lookups for the Web Conferencing Edge service. An external DNS A record that resolves the external name of the Web Conferencing Edge service to the external IP address of the Web Conferencing Edge service (or to the virtual IP address used by the Web Conferencing Edge services on the external load balancer, if you have multiple Edge Servers deployed).
To resolve domain lookups for the A/V Edge Service. An external DNS A record that resolves the external FQDN of the A/V Edge service to the external IP address of the A/V Edge service (or to the virtual IP address used by the A/V Edge services on the external load balancer, if you have multiple Edge Servers deployed).
External Reverse-Proxy
To support Web conferencing for external users. An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy.
To support access to Device Update Service by external devices. An external DNS A record that resolves the external IP address of the reverse proxy to the IP address of the Office Communications Server 2007 R2 Enterprise pool or Standard Edition server hosting Device Update Service. For details, see Device Update Service.
Internal Edge Server
You must set up internal DNS A records so that Office Communications Server 2007 R2 servers within the organization can connect to the internal interface of the Edge Server.
If you have a single Edge Server at one site:
You need just one internal DNS A record that resolves the internal FQDN of the Edge Server to the internal IP address of the Edge Server.
Additionally, if the A/V Edge service is behind a NAT, you must ensure that the Edge Server can resolve its public FQDN within the perimeter network. To test this, log on directly to the Edge Server itself, ping the external FQDN of the A/V Edge service  (for example, av.contoso.com), and ensure that the IP address returned is the public IP address listed in your external DNS. If the IP address returned is the NAT IP address, then edit the DNS A record used by the Edge Server so it contains the public IP address, and restart the A/V Edge service.
If you have multiple Edge Servers at one site, you need the following DNS records:
One internal DNS A record that resolves the internal FQDN of the Access Edge service array to the virtual IP (VIP) of the Access Edge service array on the internal load balancer.
One internal DNS A record that resolves the internal FQDN of the A/V Edge service array to the VIP of the A/V Edge service array on the internal load balancer.
For each Edge Server, an internal DNS A record that resolves the internal FQDN of the Web Conferencing Edge service on that server to the internal IP address of the Web Conferencing Edge service on that server.