leedesmond’s blog

Security plays a vital role in an Office Communications Server 2007 infrastructure. All communications channels between servers to servers and clients to servers are fully encrypted with MTLS and TLS respectively. The magic to this lies in the successful deployment of server digital certificates in the environment.

Generating and managing your own certificates from an internal Certificate Authority (CA) base on Windows Server 2003/2008 is relatively simple and cost effective. Nevertheless, such certificates are typically created for internal consumption and are not automatically trusted beyond the boundaries of the organization’s network*. Therefore, their use should be confined to servers setup behind the corporate firewall which will not provide any form of direct access to the outside world.

By default, certificates issued by public commercial CAs defined in the Trusted Root Certificate Store of a typical Windows machine are implicitly trusted (unless revoked) and do not require extra configuration effort. This is the recommended type of certificate that should be deployed on all publicly accessible, external facing network adapters of OCS Edge Servers (Access, Web, A/V Edge Servers).

In the procurement of a server digital certificate, ensure that the Fully Qualified Domain Name (FQDN) of the server is correctly specified e.g. hostname.yourdomain.ext. Although it is possible to buy the more expensive wild-card certificates to cover your servers in the same publicly registered domain (*.yourdomain.ext), OCS 2007 does not provide any official support of its use at this point in time.

Observing these few important points should help make your OCS 2007 deployment a much smoother experience.

* use Active Directory Group Policy or Systems Center Configuration Manager to deploy the certificates to your Windows machines in the domain

Technorati tags: LCS/OCS , Unified Communications, Security

No Comments »