• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 921
  • Last Modified:

DNS records for TLS in OCS 2007 R2

I have added two sip-domains in our AD/Communicatins Server 2007 R2 (SE)
Primary sip domain: jetpakgroup.net (also the AD domain)
Secondary sip domain: jetpak.se (mail domain for users in jetpakgroup.net).

commsrv02.jetpakgroup.net is the internal servername for the OCS 2007 R2 (enabled with a real certificate from Thawte).

If enabling a user for Communicator with a username from @jetpakgroup.net eg. (SAM account) it works fine with automatic logons.
I've created a DNS record in the "jetpakgroup.net"-zone for _sipinternaltls pointing to commsrv02.jetpakgroup.net port 5061.

If enablig a user for Communicator with a username from @jetpak.se it doesn't work with automatic logons. In the "jetpak.se"-zone i've created _sipinternaltls pointing to commsrv02.jetpakgroup.net. I've also tried creating a _sipinternal and just a _sip . But nothing seems to work.

But on the other hand - if I type the server name in the communicator client instead of using automatic logons - it works fine.

What should the DNS record look like for the secondary sip domain? (Jetpak.se) so I can use it with automatic logons.

Regards
Jonas
0
jetpak
Asked:
jetpak
  • 2
  • 2
1 Solution
 
MohammadSaeedCommented:
It seems that everything is fine; just double check your configuration, below is your check list:

_sipinternaltls SRV Record under the jetpak.se, port 5061, and the host offering this service your OCS Server commsrv02.jetpakgroup.net

Make Sure your Certificate include Sip.jetpak.se in the Subject Alternative Name (SAN).

Finally you can enable the Turn on Windows Logging from the communicator options, under the General tap, check the event viewer while you are testing, then feed us back with the results if you still face any problems.

Regards,
Mohammad Saeed  
0
 
jetpakAuthor Commented:
The certificate is signed to commsrv02.jetpakgroup.net. Can I add sip.jetpak.se by myself to that certificate?

"Secure host names on different base domains in one SSL Certificate. A wildcard certificate can protect all first-level subdomains on an entire domain, such as *.example.com. But a wildcard cannot protect both www.example.com and www.example.net."

Shouldn't it just be enough with a certificate for the actual host hosting the certificate for OCS and the IIS server? in this case commsrv02.jetpakgroup.net.

0
 
MohammadSaeedCommented:
unfortunately you can't add it by your self, you must create a new request (but make sure to include all the SIPDomains you are planing to support in the SAN of the certificate); then send it to your CA to sign the new request, then assign it to your server.

the below link include instruction on creating, and assigning new certificate:
http://technet.microsoft.com/en-us/library/dd425371(office.13).aspx

additional, Microsoft released a very comprehensive document (just short of 100 pages) that covers everything from basic requirements down to specific scenarios, and the certificate requirements for each scenario.

http://go.microsoft.com/fwlink/?LinkId=163083 
0
 
jetpakAuthor Commented:
Thanks! Now I understad it.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now