• Article

3.6 Configure Certificates for Front End, Web Conferencing and A/V Server Roles

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

Office Communications Server requires certificates on each Enterprise Edition Server in order to use MTLS (TLS with mutual authentication). All Office Communications Servers use MTLS to communicate with one another. If you do not configure MTLS on each server, presence and IM communication may not work properly.

Each client will also need to trust the certificate that the server is using in order to connect to the server by using TLS. You can use the Certificates Wizard on an Enterprise Edition Front End Server, Web Conferencing Server, or Audio/Video Conferencing Server to do the following:

  • Request, create, and assign a new Web certificate with enhanced key usage for server authentication.

  • Assign an existing certificate.

You cannot use the Certificates Wizard to the request or assign the certificate to the Web Components Server. Instead, the certificate must be requested or requested and assigned using the IIS certificate wizard as explained in the 3.7 Configure the Web Components Server IIS Certificate.

Use the certificate assignment procedures that are appropriate for your deployment scenario.

Note

For more information about submitting a request to a public CA, see Appendix A: Generate an Offline Request (for a Public CA).

To configure a new certificate

  1. Log on to the server for which you want to configure a certificate with an account that is a member of the Administrators and the RTCUniversalServerAdmins group and has permissions to request a certificate from your certificate authority.

  2. Insert the Microsoft Office Communications Server CD. The deployment tool will start automatically. If you are installing from a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.

  3. In the deployment tool, do one of the following:

    • Click Deploy Pools in a Consolidated Topology.

    • Click Deploy Pools in an Expanded Topology.

  4. If, in the previous step, you clicked Deploy Pools in a Consolidated Topology, skip to the next step. If, in the previous step, you clicked Deploy Pools in an Expanded Topology, do one of the following, depending on the type of server:

    • If you are logged on to a Front End Server, click Add Front End Server.

    • If you are logged on to a Web Conferencing Server, click Add Web Conferencing Server.

    • If you are logged on to an Audio/Video Conferencing Server, click Add Audio/Video Conferencing Server.

    • If you are logged on to a server that is running the Web Components Server, see the procedures in 3.7 Configure the Web Components Server IIS Certificate later in this document.

  5. At Configure Certificate, click Run.

  6. On the Welcome to the Certificate Wizard page, click Next.

  7. On the Available certificates tasks page, click Create a new certificate, and then click Next.

  8. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.

  9. On the Name and Security Settings page, do the following:

    • Under Name, enter a meaningful name for the certificate that this server will use for Office Communications Server communications.

    • Under Bit length, select the bit length that you want to use for encryption. A higher bit length is more secure, but it can degrade performance.

    • Clear the Mark cert as exportable check box.

  10. When you are finished, click Next.

  11. On the Organization Information page, type or select the name of your organization and organizational unit, and then click Next.

  12. On the Your Server’s Subject Name page, do the following:

    • In Subject Name, verify that the pool FQDN is displayed.

    • In Subject Alternate Name, verify that the required entries exist. Optionally, click Subject Alternate Name, and then type any alternate names that identify the pool during authentication.

      Note

      SANs are required on your server for each supported SIP domain in the format sip.<domain> if all of the following are true:
         Your organization supports multiple SIP domains.
         Clients are using automatic configuration.
         This pool is used to authenticate and redirect client sign in.
      If you selected the option to configure clients for automatic logon or select the option to configure this pool to redirect sign-in requests when you ran Configure Pool Wizard, the certificate wizard automatically adds these SIP domains to the certificate request.

    • To include the local computer name on the list of alternate names that identify the pool during authentication, select the Automatically add local machine name to the Subject Alt Name check box.

  13. When you are finished, click Next.

  14. On the Geographical Information page, enter the Country/Region, State/Province and City/Locality. Do not use abbreviations. When you are finished, click Next.

  15. On the Choose a Certification Authority page, this wizard attempts to automatically detect any CAs published in Active Directory, do one of the following:

    • Click Select a certificate authority from the list detected in your environment, and then click your certification authority (CA) in the list.

    • Click Specify the certificate authority that will be used to request this certificate, and then type the name of your CA in the box, using the format <FQDN of CA>\CA instance>. For example, CA.contoso.com\CAserver1. If you type an external CA name, a dialog box appears. Type the user name and password for the external CA, and then click OK.

  16. When you are finished, click Next.

  17. On the Request Summary page, review the settings that you specified and then click Next.

  18. On the Certificates Wizard completed successfully page, click Assign.

    A dialog box appears and informs you that the settings were applied successfully.

  19. Click OK.

  20. Click Finish.

  21. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA). If your CA is configured for automatic approval, proceed to the next procedure. If your CA requires CA administrator approval to issue a certificate, the administrator must manually approve or deny the certificate issuance request on the issuing CA before you can assign it.

To assign an existing certificate

  1. Log on to the server for which you want to configure a certificate with an account that is a member of the Administrators and the RTCUniversalServerAdmins group.

  2. Insert the Microsoft Office Communications Server CD. The deployment tool will start automatically. If you are installing from a network share, go to the \Setup\I386 folder, and then double-click Setup.exe.

  3. In the deployment tool, do one of the following:

    • Click Deploy Pools in a Consolidated Topology.

    • Click Deploy Pools in an Expanded Topology.

  4. If, in the previous step, you clicked Deploy Pools in a Consolidated Topology, skip to the next step. If, in the previous step, you clicked Deploy Pools in an Expanded Topology, do one of the following, depending on the type of server:

    • If you are logged on to a Front End Server, click Add Front End Server.

    • If you are logged on to a Web Conferencing server, click Add Web Conferencing Server.

    • If you are logged on to an Audio/Video Conferencing Server, click Add Audio/Video Conferencing Server.

    • If you are logged on to a server that is running the Web Components Server, see 3.7 Configure the Web Components Server IIS Certificate later in this document.

  5. At Configure Certificate, click Run.

  6. On the Welcome to the Certificate Wizard page, click Next.

  7. On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next.

  8. On the Available Certificates page, click the certificate that you want to assign to the server, and then click Next.

  9. On the Configure the Certificate(s) of your Server page, review the certificate assignments, and then click Next to assign the certificate.

  10. Click Finish.

  11. Repeat these steps for each Enterprise Edition Server in your pool.