次の方法で共有


OCS 2007 Enterprise Edition - Certificate & DNS Requirements

Having just deployed Office Communication Server (OCS) 2007 into a customer site, I thought I would share some of my experiences, specifically around DNS and Certificate requirements.

OCS Features Installed

  • Audio & video conferencing
  • Web conferencing
  • NO federation or external user access

OCS Infrastructure Components

  • Software - OCS OCS 2007 Enterprise Edition
  • Hardware
    • 2 x Front End Servers - OCSSRV01 & OCSSRV02
    • 1 x SQL Back End SQL Server (clustered)
    • Load balancer

AD / Mail / Enterprise Pool

  • Windows 2003 AD single forest / single domain
  • Exchange 2007
  • FQDNs
    • AD domain name = company.local
    • Mail domain name = company.com
    • OCS pool = ocspool.company.local

For the customer in question we deployed OCS 2007 Enterprise Edition in a consolidated topology. This creates an Enterprise pool and installs all Enterprise Edition components on each physical server in the pool. When you deploy an Enterprise pool, you install all the servers in the pool as well as the load balancer that distributes traffic to the servers in the pool. You also configure the DNS that enables servers and clients to automatically locate one another. Additionally, as was the case with this customer, other DNS records were required to allow automatic client sign in.

One other important consideration is to determine which SIP domains are to supported by OCS.

SIP domain refers to the host portion of the SIP URIs assigned to users. For example, if SIP URIs are of the form *@company.com, then company.com is the SIP domain. The SIP domain is often different from the internal Active Directory domain, as in the vast majority companies where the email domain name is different to the internal AD domain name.

In my example, I wish to enable users for OCS by using the user's email address to generate the SIP URI, therefore company.com is the preferred SIP domain. The following steps outline how to configure DNS to support this configuration.

Note - As there is currently NO requirement for federation or external user access we are only concerned with internal DNS at this stage.

 

Required DNS Records

  • An internal DNS record that resolves the FQDN of the pool to the virtual IP address of the load balancer used by the Front End Servers in the pool
  • An internal DNS record that resolves the internal Web farm FQDN from the pool to the virtual IP address of the load balancer used by the Web Components Servers in the pool

Required DNS Records for Automatic Client Sign In

  • An internal DNS record that maps _sipinternaltls._tcp.<domain> the FQDN of the pool (for internal TLS connections - TCP can also be used but is not the preferred choice)

To place these requirements in the context of my example:

FQDN of pool SIP Domain DNS SRV Record
ocspool.company.local company.local (default inherited from AD)

An SRV record for _sipinternaltls._tcp.company.local domain over port 5061 that maps to ocspool.company.local

ocspool.company.local company.com

An SRV record for _sipinternaltls._tcp.company.com domain over port 5061 that maps to ocspool.company.local

To configure the DNS records for both SIP domains do the following -

(Refer to https://technet.microsoft.com/en-us/library/bb663654(TechNet.10).aspx for detailed instructions)

In the forward lookup zone for company.local -

  1. Create a DNS A record
    • Name = ocspool
    • FQDN = ocspool.company.local
    • IP = <VIP address of load balancer>
  2. Create a DNS SRV record
    • Service = _sipinternaltls
    • Protocol = _tcp
    • Port number = 5061
    • Host offering this service = ocspool.company.local

In the forward lookup zone for company.com -

  1. Create a DNS A record
    • Name = ocspool
    • FQDN = ocspool.company.com
    • IP = <VIP address of load balancer>
  2. Create a DNS SRV record
    • Service = _sipinternaltls
    • Protocol = _tcp
    • Port number = 5061
    • Host offering this service = ocspool.company.com

The above steps assume that DNS has a primary zone for company.com has been created on the internal DNS server - if none exists create one as this will provide internal name resolution company.com SIP domain. Use nslookup to verify successful creation of the SRV records for both company.local and company.com

 

Certificate Creation & Assignment

OCS requires certificates on each Enterprise Edition server in order to use MTLS (TLS with mutual authentication) in order for the servers to communicate with one another. Additionally, each OCS client will need to trust the server certificate in order to use TLS as the connection method as has been configured in my example.

The OCS installation media provides a Certificate wizard as part of the setup steps to request and assign a certificates to Front End OCS servers. The wizard cannot be used to assign certificates to the Web Components server- this is done via the IIS certificate wizard.

Requesting and assigning certificates is straight forward enough and is documented in detail at the following links

https://technet.microsoft.com/en-us/library/bb663618(TechNet.10).aspx

https://technet.microsoft.com/en-us/library/bb663771(TechNet.10).aspx

The important part is knowing what to include on the certificate request, specifically what to specify as the certificate name and certificate subject alternative name(s), especially when dealing with and supporting multiple SIP domains.

To place this information within the context my example consider the following -

  • FQDN OCS pool = ocspool.company.local
  • FQDN OCS Front End Servers
    • ocssrv01.company.local
    • ocssrv02.company.local

To correctly request certificates for both front servers enter the following -

  1. Certificate name = ocspool.company.local
  2. Certificate subject alternative names include -
    • DNS Name=sip.company.local
    • DNS Name=sip.company.com
    • DNS Name=ocspool.company.com
    • DNS Name=ocssrv01.company.local or ocssrv02.company.local

Comments