locked
Office Communications server 2007憑證問題 RRS feed

  • 問題

  • 最近在測試安裝Office Communications server 2007 beta3的時候,到了Configure Certificate步驟的時候,我按照guide上面操作,但是最後總是會出現fail(我目前lab環境為1AD(上面跑IIS跟standard alone ROOT CA)跟一台standard edition server),請問有裝過的人,可否告知,在憑證方面是不是還要什麼另外的設定(因為我裝過2005, 2005安裝server憑證還挺多步驟的)。

       謝謝

    2007年2月9日 上午 03:49

解答

  • 安裝憑證的方法跟LCS2005一樣.如果LCS2005會做的話,應該就不會有問題.
    2007年4月1日 下午 01:14
  •  

    現在OCS2007安裝憑證步驟比較方便,而且每個服務都有獨立的憑證,但是也要您憑證伺服器要安裝正確才行,所以您可以參考下列步驟:

    To configure a new certificate

    1.       Log on to your Standard Edition Server as a member of the Administrators group.

    2.       Insert the Microsoft Office Communications Server 2007 CD. The Deployment Tool will start automatically. If you are installing from a network share, go to the \I386 folder, and then double-click setup.exe.

    3.       Click Deploy Standard Edition Server.

    4.       At Configure Certificate, click Run.

    5.       On the Welcome to the Communications Certificate Wizard page, click Next.

    6.       On the Available certificate tasks page, click Create a new certificate, and then click Next.

    7.       On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.

    8.       On the Name and Security Settings page, do the following:

    ·         Under Name, enter a meaningful name for the certificate that this server will use for Office Communications Server communications.

    ·         Under Bit length, select the bit length that you want to use for encryption. A higher bit length is more secure, but it can degrade performance.

    ·         Clear the Mark cert as exportable check box.

    9.       When you are finished, click Next.

    10.    On the Organization Information page, type or select the name of your organization and organizational unit, and then click Next.

    11.    On the Your Server’s Subject Name page, do the following:

    ·         In Subject Name, verify that the server FQDN is displayed.

    ·         Optionally, click Subject Alternate Name, and then type the alternate name(s) that identify the server during authentication.

    Note

    There are several scenarios that require you to configure a certificate Subject Alternate Name:

    ·        If your SIP domain is different from the Active Directory domain, add the FQDN of the SIP domain as the Subject Alternate Name.

    ·        If the internal FQDN that you plan to use for the Web Components Server is different from the external FQDN and you plan to configure the reverse proxy in the perimeter network for tunneling, add the external FQDN as the Subject Alternate Name.


     

    ·         To include the local computer name on the list of alternate names that identify the server during authentication, select the Automatically add local machine name to the Subject Alt Name check box.

    12.    When you are finished, click Next.

    13.    On the Geographical Information page, enter the Country/Region, State/Province, and City/Locality. Do not use abbreviations. When you are finished, click Next.

    14.    On the Choose a Certification Authority page, select your certification authority (CA) from the dropdown list or type the name of your CA in the Certification Authority box. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, and then click OK. When you are finished, click Next.

    15.    On the Request Summary page, review the settings that you specified, and then click Next.

    16.    On the Certificates Wizard completed successfully page, click Assign.

    17.    A dialog box displays informing you that the settings were applied successfully. Click OK.

    18.    Click Finish.

    To configure an existing certificate

    1.       Log on to the Standard Edition Server using as a member of the Administrators group.

    2.       Insert the Microsoft Office Communications Server 2007 CD. The Deployment Tool will start automatically. If you are installing from a network share, go to the \I386 folder, and then double-click Setup.exe.

    3.       Click Deploy Standard Edition Server.

    4.       At Configure Certificate, click Run.

    5.       On the Welcome to the Communications Certificate Wizard page, click Next.

    6.       On the Available certificate tasks page, click Assign an existing certificate, and then click Next.

    7.       On the Available Certificates page, click the certificate that you want to assign to the server, and then click Next.

    8.       On the Available certificate assignments page, do the following:

    ·         To assign the certificate to all the server components on the local computer, select the Default Server Certificate check box.

    ·         To assign the certificate to a specific transport and port, select the check box that corresponds to the desired transport, port, and listening address combination. If you have more than one Office Communications Server in your environment, you must select the check box to assign a certificate, which may be different from the one that you use as the default server certificate, to the MTLS listening address.

    Note

    If (Have certificate) is displayed next to any of the entries on the Available certificates assignments page, a certificate is already configured. If you proceed, the certificate you choose will be used instead of the one that is already configured.


     

     

    9.       When you are finished, click Next.

    10.    On the Configure the certificate settings of your Server page, review the certificate assignments, and then click Next to assign the certificate.

    11.    Click Finish.

    Assign the Web Components Server (IIS) Certificate

    Assign the certificate to the Web Components Server by using the Internet Information Services (IIS) Manager.

    To assign the certificate to the Web Components Server (IIS)

    1.       Log on to the server as a member of the Administrators group.

    2.       Click Start, click Control Panel, click Administrative Tools, and then click Computer Management.

    3.       Expand the Services and Applications node, and then expand the Internet Information Services (IIS) Manager node.

    4.       Expand the Web Sites node, right-click Default Web Site, and then click Properties.

    5.       Click the Directory Security tab.

    6.       Under Secure communications, click Server Certificate.

    7.       On the Welcome to the Web Server Certificate Wizard page, click Next.

    8.       Click Assign an existing certificate, and then click Next.

    9.       Select the certificate that you requested using the Certificates Wizard, assuming the certificate matches the name of the Web Components Server or pool, and then click Next.

    10.    On the SSL Port page, verify that port 443 will be used for SSL, and then click Next.

    11.    Review the certificate details, and then click Next to assign the certificate.

    12.    Click Finish to exit.

    13.    Click OK to close the Default Web Site Properties page.

     

    2007年9月18日 上午 01:48

所有回覆

  • 安裝憑證的方法跟LCS2005一樣.如果LCS2005會做的話,應該就不會有問題.
    2007年4月1日 下午 01:14
  • 我最近也在测试, 我的情况大约和你的一样,不同的是:

    ca的类型选择成enterprise ca,能顺利通过,然后启动服务,结果在同一个ad中的主机都可以作为client登陆

    但不在这个ad的计算机就无法做为client,

    现在我想要让一个不属于该ad的计算机成为client,有谁能够指点一下

    2007年5月10日 上午 01:16
  • 將client 匯入CA 的根憑證再試試吧。
    2007年5月23日 上午 03:51
    版主
  •  

    現在OCS2007安裝憑證步驟比較方便,而且每個服務都有獨立的憑證,但是也要您憑證伺服器要安裝正確才行,所以您可以參考下列步驟:

    To configure a new certificate

    1.       Log on to your Standard Edition Server as a member of the Administrators group.

    2.       Insert the Microsoft Office Communications Server 2007 CD. The Deployment Tool will start automatically. If you are installing from a network share, go to the \I386 folder, and then double-click setup.exe.

    3.       Click Deploy Standard Edition Server.

    4.       At Configure Certificate, click Run.

    5.       On the Welcome to the Communications Certificate Wizard page, click Next.

    6.       On the Available certificate tasks page, click Create a new certificate, and then click Next.

    7.       On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.

    8.       On the Name and Security Settings page, do the following:

    ·         Under Name, enter a meaningful name for the certificate that this server will use for Office Communications Server communications.

    ·         Under Bit length, select the bit length that you want to use for encryption. A higher bit length is more secure, but it can degrade performance.

    ·         Clear the Mark cert as exportable check box.

    9.       When you are finished, click Next.

    10.    On the Organization Information page, type or select the name of your organization and organizational unit, and then click Next.

    11.    On the Your Server’s Subject Name page, do the following:

    ·         In Subject Name, verify that the server FQDN is displayed.

    ·         Optionally, click Subject Alternate Name, and then type the alternate name(s) that identify the server during authentication.

    Note

    There are several scenarios that require you to configure a certificate Subject Alternate Name:

    ·        If your SIP domain is different from the Active Directory domain, add the FQDN of the SIP domain as the Subject Alternate Name.

    ·        If the internal FQDN that you plan to use for the Web Components Server is different from the external FQDN and you plan to configure the reverse proxy in the perimeter network for tunneling, add the external FQDN as the Subject Alternate Name.


     

    ·         To include the local computer name on the list of alternate names that identify the server during authentication, select the Automatically add local machine name to the Subject Alt Name check box.

    12.    When you are finished, click Next.

    13.    On the Geographical Information page, enter the Country/Region, State/Province, and City/Locality. Do not use abbreviations. When you are finished, click Next.

    14.    On the Choose a Certification Authority page, select your certification authority (CA) from the dropdown list or type the name of your CA in the Certification Authority box. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, and then click OK. When you are finished, click Next.

    15.    On the Request Summary page, review the settings that you specified, and then click Next.

    16.    On the Certificates Wizard completed successfully page, click Assign.

    17.    A dialog box displays informing you that the settings were applied successfully. Click OK.

    18.    Click Finish.

    To configure an existing certificate

    1.       Log on to the Standard Edition Server using as a member of the Administrators group.

    2.       Insert the Microsoft Office Communications Server 2007 CD. The Deployment Tool will start automatically. If you are installing from a network share, go to the \I386 folder, and then double-click Setup.exe.

    3.       Click Deploy Standard Edition Server.

    4.       At Configure Certificate, click Run.

    5.       On the Welcome to the Communications Certificate Wizard page, click Next.

    6.       On the Available certificate tasks page, click Assign an existing certificate, and then click Next.

    7.       On the Available Certificates page, click the certificate that you want to assign to the server, and then click Next.

    8.       On the Available certificate assignments page, do the following:

    ·         To assign the certificate to all the server components on the local computer, select the Default Server Certificate check box.

    ·         To assign the certificate to a specific transport and port, select the check box that corresponds to the desired transport, port, and listening address combination. If you have more than one Office Communications Server in your environment, you must select the check box to assign a certificate, which may be different from the one that you use as the default server certificate, to the MTLS listening address.

    Note

    If (Have certificate) is displayed next to any of the entries on the Available certificates assignments page, a certificate is already configured. If you proceed, the certificate you choose will be used instead of the one that is already configured.


     

     

    9.       When you are finished, click Next.

    10.    On the Configure the certificate settings of your Server page, review the certificate assignments, and then click Next to assign the certificate.

    11.    Click Finish.

    Assign the Web Components Server (IIS) Certificate

    Assign the certificate to the Web Components Server by using the Internet Information Services (IIS) Manager.

    To assign the certificate to the Web Components Server (IIS)

    1.       Log on to the server as a member of the Administrators group.

    2.       Click Start, click Control Panel, click Administrative Tools, and then click Computer Management.

    3.       Expand the Services and Applications node, and then expand the Internet Information Services (IIS) Manager node.

    4.       Expand the Web Sites node, right-click Default Web Site, and then click Properties.

    5.       Click the Directory Security tab.

    6.       Under Secure communications, click Server Certificate.

    7.       On the Welcome to the Web Server Certificate Wizard page, click Next.

    8.       Click Assign an existing certificate, and then click Next.

    9.       Select the certificate that you requested using the Certificates Wizard, assuming the certificate matches the name of the Web Components Server or pool, and then click Next.

    10.    On the SSL Port page, verify that port 443 will be used for SSL, and then click Next.

    11.    Review the certificate details, and then click Next to assign the certificate.

    12.    Click Finish to exit.

    13.    Click OK to close the Default Web Site Properties page.

     

    2007年9月18日 上午 01:48