This posting is provided "AS IS" with no warranties, and confers no rights.The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway. Please use the Microsoft Forums for support requests.
– How many public certificates do I need, in order to configure external access to my OCS 2007 pool? – 3. One for the HTTP Reverse Proxy, one for the OCS Access Edge and one for the OCS Web Conferencing Edge. – Even if I'm using a consolidated Edge topology? – Yes! – But can't I just use a super-mega-jumbo SAN certificate with all the required alternative names? – No! – Why not? – Because!
Well, to tell you the truth it's not "because", it is the official support policy written in the OCS 2007 Supportability Guide, the OCS 2007 Planning Guide and the OCS 2007 Edge Server Deployment Guide.
Here's a summary of the external certificate requirements:
– But why can't I just use my internal CA? – Well, to tell you the truth, it's technically possible, as long as you remember these guidelines:
It is very unlikely that these requirements will change with the release of Office Communications Server 2007 R2.
Recently, I was doing some tests with Exchange Unified Messaging, but when I tried to connect to Exchange Voice Mail using Communicator R2, I got the following error:
"Incompatible security setting. The call could not be completed because security levels do not match"
An Exchange UM dial-plan supports three different security levels: Unsecured, SIP Secured, and Secured. The following table shows the differences in terms of Mutual TLS and SRTP for the various security levels.
When integrating Exchange UM with Office Communications Server 2007, consider the following when selecting the dial plan security level:
The registry key PC2PCAVEncryption (REG_DWORD) can be used to specify whether encryption is supported, required, or not supported when making and receiving audio and video calls. The supported values are:
BTW, if you're playing around with this registry key (or any other), you may find useful to know that Communicator uses the following precedence, when applying settings:
Further investigation revealed the following error on Communicator logs:
"SIP/2.0 415 Unsupported Media Type"
After this, it seemed quite obvious that the problem had to do with encryption, more specifically to the SRTP setting. The solution? There are 2 possible ones:
One final note: the problem didn't affect Office Communicator 2007, only the R2 client, so we can assume the R2 clients will be more secure than its predecessors.