I was working with a customer to get them federated with Microsoft and the question came up - would they need Subject Alternate Name or SAN entries on their external cert?

 

You need to understand the three types of Federation you can setup with OCS to get the answer:

  1. Direct Federation - only federate with designated partners - requires the sip domain and associated fqdn of each federated partners edge
  2. Enhanced Federation - only federate with designated partners - requires sip domain only and OCS discovers the edge FQDN via SRV/A records
  3. Open Federation - federate with anyone - requires domain specific SRV/A records

 

The key bit here is SRV records - anytime you discover the fqdn of a server via these records and that fqdn differs from the actual machine name (which should match on the cert's subject name) you're going to need a SAN entry that matches to establish a TLS session.

 

So … for my customer they were doing Enhanced Federation and they did support multiple internal SIP domains so the answer here is Yes.  Note this same reasoning applies internally if you're relying on internal SRV records for client auto-configuration and you have multiple SIP domains - gonna need SAN entries on those certs.

 

Thanks to Thomas Binder for helping me with this - Thomas is a Microsoft Consultant in Austria and one of the first Microsoft Certified Masters in OCS!