Home > OCS > Configuring OCS 2007 for DNS Splitting

Configuring OCS 2007 for DNS Splitting

Automatic configuration allows Communicator to find and connect to the appropriate OCS server without manually entering a server name into its settings. Communicator has special requirements for DNS and certificates to make this work properly.

The problem that OCS likes other Microsoft UC solutions does not support multiple SIP name. Most of organizations need DNS splitting as security requirement.

Here you are the Scenario: We have organization that its internal domain name is Contoso.ad and have E2K3 server with E-mail Policy @contoso.com, they need to implement new OCS server to support internal and external users.

Easy, maybe it looks like that…The problem that office communicator is designed to log-on using server within same domain name i.e. the OCS FQDN must be in our case OCSSRV.contoso.ad.

Until now, it is okay but the user must log-on with name user@contoso.com so we have to support contoso.com SIP domain.

Are you confused? It is little tricky… here you are the solution

Hosting Domain Contoso.ad, Contoso.com
OCS Computer FQDN OCSSRV.contoso.ad
Supported SIP Domains:
Contoso.ad (default inherited from AD)
Contoso.com

DNS Records (Internal)

Split DNS configuration is a requirement for automatic configuration. Simply put, split DNS means you have two DNS zones for one domain name. One DNS zone exists on internal DNS servers and provides name resolution only for internal clients. Another DNS zone exists on external DNS servers to service external clients.

Split DNS is required so that users can use the same sign-on name in Communicator and have their correct login server resolved inside and outside the network.

First, we have to create primary DNS zone in internal domain with name Contoso.com. Create A record in it for OCSSRV server.

The following SRV records need to be created. Note that these records must be created in the DNS database of the servers authoritative for the particular zone.

Service Records (SRV)

A Record

IP Address

_sipinternaltls._tcp.Contoso.ad

OCSSRV.contoso.ad

192.168.1.11

_sipinternaltls._tcp.Contoso.com

OCSSRV.contoso.com

192.168.1.11

Certificate Configuration

To support multiple domains for encrypted communications we require that all front-ends in the Pool be configured with a certificate. The certificate must match the FQDN returned by any DNS SRV query. Therefore, the certificate must contain multiple entries. We call these SANs (Subject Alternate Name) and the certificate must include the FQDN of the pool and one entry for each supported SIP domain.

Subject Name

OCSSRV.contoso.ad

Subject Alternate Name

Sip.contoso.ad

Sip.contoso.com

OCSSRV.contoso.com

OCSSRV.contoso.ad

I tried to do that through the OCS certificate configuration wizard …It should work.

but if it failed you can do it through another way.

Certificate Require through OCS’ certificate wizard

Certificate Assign Failure

You have to obtain Subject Alternative Name (SAN) to your OCS certificate. The OCS certificate is submitted to a certification authority (CA) that is configured on a Microsoft Windows Server 2003-based computer. The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name. I will explain how to add SAN attributes to a certification request that is submitted to an enterprise CA (ContosoCA)

How to configure a CA to accept a SAN attribute from a certificate request

By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service.

Certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

How to create and submit a certificate request

When you submit a certificate request to an enterprise CA, the certificate template must be configured to use the SAN in the request instead of using information from the Active Directory directory service.

How to use Web enrollment pages to submit a certificate request to an enterprise CA

To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:

  1. In Internet Explorer, connect to http://contoso.ad/certsrv.
  2. Click Request a Certificate.
  3. Click Advanced certificate request.
  4. Click Create and submit a request to this CA.
  5. In the Certificate Template list, click Web Server.
  6. Provide identifying information as required.
  7. In the Name box, type the fully qualified domain name of the OCS server.
  8. Under Key Options, set the following options:
    • Create a new key set
    • CSP: Microsoft RSA SChannel Cryptographic Provider
    • Key Usage: Exchange
    • Key Size: 1024
    • Automatic key container name
    • Store certificate in the local computer certificate store
  9. Under Advanced Options, set the request format to CMC.
  10. In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:

San:dns=OCSSRV.contoso.com&dns=sip.contoso.com

&dns=sip.contoso.ad&dns=OCSSRV.contoso.ad

Multiple DNS names are separated by an ampersand (&).

  1. Click Submit.
  2. If you see the Certificate Issued Web page, click Install this Certificate.
Certificate SANs

Now return to OCS deployment and choose configure certificate wizard,

Choose to assign existing certificate and choose OCSSRV.contoso.ad server authentication certificate.

Assign the certificate in the IIS and restart it.

OCS Event Viewer

OCS Final

Now you can sign in with user@contoso.com although your pool is OCSSRV.contoso.ad.

Check this also at the UC Guy

About these ads
Categories: OCS Tags: , ,
  1. February 25, 2008 at 7:27 pm

    Good Article

  2. March 18, 2008 at 9:36 am

    Fantastic

  3. chris
    April 27, 2008 at 9:13 am

    love ur work

  4. Andro
    October 15, 2008 at 6:41 pm

    Amazing work

  5. Alberto
    October 15, 2008 at 10:19 pm

    Hello,

    why the sip.xxx.xxx domains as SANs if there are no A records with those names in DNS?

  6. Mohamed Fawzi
    October 16, 2008 at 11:19 pm

    we have to create primary DNS zone in internal domain with name Contoso.com. Create A record in it for OCSSRV server.

    That is why..to support multiple SIP names

  7. November 11, 2008 at 10:55 am

    Can you tell me… If I have my log in set as user@domain.local but I want to have user@anotherdomain.com is this possible?

    In other words, can I have alternate sips? How would I add one?

  8. November 11, 2008 at 10:56 am

    Oh, and ill be adding this page to my faves. Good work!

  9. December 17, 2008 at 1:37 am

    What happens to name resolution for contoso.com in this case? I assume there is an external DNS that is authoritative for that namespace. When you create a primary zone for it on your internal DNS, IT is now authoritative for that zone and internal clients will not be able to resolve addresses for external hosts anymore…

  10. Mohamed Fawzi
    December 17, 2008 at 1:45 am

    I can not get you!! I will answer what I got.

    I do not see any name resolution problem as all your resources will be in your internal zone and only external resources will be in Contoso.com

  11. Chris A. Pabroquez
    January 15, 2009 at 3:46 am

    Nice post….very helpful on my OCS implementation

  12. January 22, 2009 at 12:26 pm

    Good post, about how to configure SVR records for OCS

  13. March 30, 2009 at 10:48 am

    What is the limit of SANs?

  14. Mohamed Fawzi
    March 30, 2009 at 10:29 pm

    Yes SAN certificate has some limitations like:

    1) Windows Mobile (any version) does not support wildcard certificates

    2) Outlook Anywhere (and RPC/HTTP for Exchange 2003) does not support wildcard certificates

    3) UM requires that the machine name of the UM server be the first SAN (or only, for a singly named certificate) in the certificate
    4) ISA 2006 without service pack 1 does not support SAN Certifcate

    For more info on Certificate for Exchange read this cool article on the Exchange Team Blog site:

    http://msexchangeteam.com/archive/2007/07/02/445698.aspx

  15. March 31, 2009 at 3:51 am

    Thanks for the quick response.

    We are setting up a OCS 2007 server, and we have several external domains at our company that our customers use to contact us. Some divisions of the business have some domain suffixes and some divisions of the business have other domain suffixes (Example: johndoe@companya.com, johndee@companyb.com, johncee@companyc.com, etc.) In total, we have 80 domain suffixes. We are going to add each of the external domains as SANs to our OCS 2007 certificate, because we would like a user’s IM address to be the same as their email address.

    Is there a limitation on the number of SANs you can have in a single certificate?

  16. Mohamed Fawzi
    March 31, 2009 at 7:44 pm

    I think Entrust support more than that no

    http://www.entrust.net/ssl-certificates/unified-communications.htm

    Check with their support for more information. Hope they willl help you.

    Regards

    • James Maddison
      July 5, 2009 at 5:32 am

      I’m using, and have been using, UCC/SAN certs from GoDaddy since 2007 when we first rolled out E12.

      I’m also using GoDaddy UCC certs on my current OCS 2007 R2 rollout.

      Worst case is you install the entire cert chain to the server since the CA might not be recognized. This doesn’t seem to be an issue with server 2008, but it was an issue with server 2003.

      David, I’m trying to accomplish exactly what you are: support mulitple external login access within our org. This is due to a merger of two companies. The thing that gets me is that *technically* UCC/SAN certs aren’t supported on the Edge server (though many people report that it works just fine). Internally we have no issues as we run split DNS and we are authoritative DNS for our own domains (we host our own DNS and different servers. This just makes the splitting of the zones easier as I don’t need to coordinate changes with an ISP).

      For hosted access with Exchange involved there will be other concerns: segementing the GAL(s), etc. Other than that it should work fine.

      I’m using certs from my internal CA for all but where actual external access is needed. Meaning my Frontend server, enterprise pools, and some edge services that only communicate internally. Saved me a lot of money and it works fine. My SIP routing domain is the same as my AD so it makes my life easier in this respect.

      Lastly, GoDaddy is about $3600 for a three year, 100 domain UCC. You can search for “GoDaddy promotional codes” though and easily save another 25%. So figure about $3K from GoDaddy.

      Hope this helps,

      James

  17. September 10, 2009 at 4:23 pm

    Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,019 other followers

%d bloggers like this: