Archive for the ‘Office Communication Server 2007’ Category

Why you can no longer just have one SSL certificate with all the servernames included.

Internal server names in publically recognized SSL certificates are about to become just as extinct as Sharks in Chinese waters.

The CA / Browser forum has decided to implement changes to SSL requirements, that will phase out all use of internal server names in public SSL certificates. The CA / Browser forum includes all the major certificate authorities and browser developers, so the change will be forced upon everyone.

The negative impact

It especially hits small to medium businesses with just a few servers. I.e. Exchange, Lync and Small Business Server, where a single SAN certificate including both public and internal server names, will save them both time and resources otherwise needed for reconfiguration, internal PKI solutions and/or reverse proxy and similar systems to allow usage of a separate internal and external SSL certificate on a single website/service.

Exchange 2010 will by default use a single website and configure it self to use its internal FQDN i.e. exchangeserver01.fairssl.local and external FQDN i.e. webmail.fairssl.dk for this one website/SSL certificate. The change will require a change in configuration or systems surrounding the Exchange 2010 environment to continue working without both names in one SSL certificate.

SBS 2011 on the other hand has received the functionality to use split DNS to use the external server name both internally and externally, this not much mentioned change may have something to do with Microsoft being on the CA / Browser forum board, so they would have known about this change for a while.

Larger companies typically have more resources and will have an easier time separating internal and external SSL certificates, without having to buy new solutions like Forefront TMG, SSL offloaders, Internal PKI, etc. But my guess is still that a large number of them will still need to change some configuration to avoid problems with internal server names.

Why?

The reasoning behind this phase out is to secure against Man-in-The-Middle (MTM) attacks, where it is possible to pretend to be an internal server via a publicly recognized SSL certificate. Even thou it is a highly unlikely way to attack most systems, the theoretical possibility is enough to spark the change. I just wish they had been a little more giving on the deadlines.

My personal recommendation to my customers with SSL certificates containing internal server names Read the rest of this entry »

Debugging an OCS installation just got easier

I might be realy slow in discovering this, after all it has been some months since I last touched an OCS installation. I seriusly wished I had this tool when I was last time thou.

This tool just like the Exchange testing tool, will show all the steps involved in connecting to an OCS system and produce any errors and confirmations that everything is working, excellent for debugging or even just validating that everything is working as it should. I found the link to the tool on a new danish UM experience sharing group (all danish) http://www.colabora.dk/.

The actual tool can be found here: https://www.testocsconnectivity.com/

Thought I would also add some extra info and show what the tool can produce of results (FQDN’s and IP’s changed)

Read the rest of this entry »

How to get external SAN UC SSL certificates that work with OCS 2007 R2 and avoid having to read 100 blog posts!

Been reading up on external and internal DNS names used by OCS 2007 R2 ? Your head stopped spinning yet? So you’ve decided on what FQDN’s to use, next step order some SSL certificates, should be easy enough right, You allready figured out You need SLL certificates that are Unified Communications Certificates (UCC) enabled. In my example I will use GlobalSign Domain Validated SAN’s, if I needed multiple domains for example for @sole.dk and @soleit.dk, I would choose GlobalSign Organisation Validated SAN’s instead.

For a GlobalSign SSL certificate to be UCC enabled, it must use SAN domains, no other way of enabling it. So no point in spending lots of budget on seperate SSL certificates for each service. SAN Subdomains are also quite alot cheaper than buying seperate SSL certificates.

One of the tricky parts of Office Communications Server 2007 R2 and SSL certificates, is that You can not use one single SAN SSL for all services, if You intend to use port 443 for all services!

Why would we only use port 443 ? Read the rest of this entry »

Todays update from Microsoft (KB974571) makes Office Communication Server think it is an expired evaluation!

The updates I mentioned in a previous post here http://www.sole.dk/post/microsoft-security-bulletin-for-october-2009/

Happened to have an update that kills Office Communication Server 2007 all editions (R2/Standard/Enterprise) and Live Communication Server 2005 (and SP1 edition).

The error that comes up in the event logs is that the server believes that it is an evaluation and just expired with this message: “The evaluation period for Microsoft Office Communications Server 2007 R2 has expired. Please upgrade from the evaluation version to the full released version of the product.”

I also got this message in the event logs: “Error Code: C3E93C23 (SIPPROXY_E_INVALID_INSTALLATION_DATA)”

Event ids logged: 12290 Read the rest of this entry »