none
Certificates - Have I got all the domains covered?

    Dotaz

  • Hi everyone,

    We've just grown from a single SIP domain to having another 5, subsequently we're now going through the process of updating our external certificates as well as soon adding mobility to the mix. I want to make sure I have all the domain names covered on new certificates so we don't have to purchase more due to an oversight.

    1. Can there be a single lyncdiscovery external record for multiple SIP domains or must there be a different one for each SIP domain and thus separate SANs in the certificate?
    2. Anyone see any issues with the below setup?

    Main SIP Domain: old.com

    Additional SIP Domains: new.com, au.new.com, cn.new.com, hk.new.com and uk.new.com.

    The simple URLs and external web services are going to be: dialin.new.com, meet.new.com/XX/meet (Replace XX with country codes from additional SIP domains) and sipproxy.new.com.

    The edge domains are going to be: sip.new.com, conf.new.com, av.new.com

    Based on the above I believe I need the following certificates:

    Reverse Proxy Certificate

    • Common Name: sipproxy.new.com
    • Alternative Name: meet.new.com
    • Alternative Name: dialin.new.com
    • Alternative Name: lyncdiscover.new.com
    • Alternative Name: lyncdiscover.au.new.com
    • Alternative Name: lyncdicsover.cn.new.com
    • Alternative Name: lyncdiscover.hk.new.com
    • Alternative Name: lyncdiscover.uk.new.com

    Edge Server Certificate

    • Common Name: sip.new.com
    • Alternative Name: conf.new.com
    • Alternative Name: av.new.com

    Thanks everyone.

    1. března 2012 6:59

Odpovědi

Všechny reakce

  • Hey Mark

    As i can see you have got all the names covered, except for the old.com domain. is this getting removed ? or r u reusing the old certificate seperatley ?

    As for the lyncdiscover, a seperate host a record should exist externall for each seperate domain you have. as per below

    http://technet.microsoft.com/en-us/library/hh690030.aspx 

    • Označen jako odpověď _MarkH_ 1. března 2012 8:47
    1. března 2012 7:22
  • Hi Hany,

    Thanks for that. I forgot to mention we will be keeping some of the old.com FQDNs such as meet.old.com, but as for others such as dialin we don't use so no need to keep it.

    It's unfortunate that the mobile clients can't be cnamed to a different domain (i.e. have lyncdiscover.au.new.com and lyncdiscover.cn.new.com both cname to lyncdiscover.new.com) and only use the certificate for the ultimate destination.

    Thanks again Hany.

    1. března 2012 8:47