Step 4 Configure Certificates on the Internal Interface of Your Edge Servers
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
After you have installed, activated, and configured your new Access Edge Server, you must configure certificates on it. How you configure your certificates depends on whether your Access Edge Server is part of an array:
For a single-site edge topology, which has a single Access Edge Server, you need a certificate configured on the internal interface with a subject name that matches the internal FQDN of the edge server computer.
For a scaled single-site edge topology, which has a load-balanced array of Access Edge Servers, you need a certificate configured on the internal interface with a subject name that matches the internal FQDN of the VIP address that is used by the Access Edge Server on the internal load balancer. This certificate must be marked as exportable on the first computer where you configure the certificate and must then be imported on each additional computer in the Access Edge Server array.
The certificate on your internal interface of your Access Edge Server must match the DNS A record that resolves to the internal IP address of the Access Edge Server. As explained earlier, how you configured your new Access Edge Server determines the process you use to assign certificates to your new edge server:
If you used the same internal FQDN on your new Access Edge Server, you can configure the same certificate that you used on your existing Live Communications Server 2005 with SP1 Access Proxy. Export the certificate from your Access Proxy, and then use the Certificate Wizard to import the certificate and assign it to the internal interface of the edge server.
If you used a different internal FQDN on your new Access Edge Server, you must request a new certificate and assign it to the internal interface of the Access Edge Server.
Option 4.1 Configuring the Certificate with the Same Internal FQDN as the Existing Access Proxy
If you are using the same internal FQDN for your Office Communications Server 2007 Access Edge Server as the one that you used on your Live Communications Server 2005 with SP1 Access Proxy, use the following steps to set up a certificate on the internal interface for your Office Communications Server 2007 Access Edge Server. These steps are explained in detail in the following sections:
Export the certificate from your Live Communications Server 2005 SP1 Access Proxy.
Import the certificate for the internal interface on the first edge server.
Verify that the CA (certification authority) is on the list of trusted root CAs for each Access Edge Server.
If the edge server is part of an array, import the certificate on the other edge servers in the array.
Assign the certificate to the internal interface of each edge server.
After you export the certificate from your Live Communications Server 2005 SP1 Access Proxy, use the Certificate Wizard to complete most of the certificate setup procedures for the internal interface. You can start this wizard from the Office Communications Server 2007 installation media, as described in the following procedures, or by using the Computer Management snap-in on your Access Edge Server.
Note
The procedures in this section are based on a Microsoft Windows Server® 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CA, see the documentation that is provided by the CA. By default, all authenticated users have the necessary user rights to request certificates.
Step 4.1.1 Export the certificate from your Live Communications Server 2005 SP1 Access Proxy.
Use the following procedure to export the certificate from your Live Communications Server 2005 SP1 Access Proxy.
To export the certificate from your Live Communications Server 2005 SP1 Access Proxy
Log on to your Access Proxy as a member of the Administrators group.
Click Start, and then click Run. In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Available Standalone Snap-ins list, select Certificates.
Click Add.
Click Computer account, and then click Next.
In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
Click Close, and then click OK.
In the console tree of the Certificates console, expand Certificates (Local Computer).
Expand Personal.
Click Certificates, and then in the result pane, right-click the certificate that is to be used on the internal interface, point to All Tasks, and then click Export.
In the Export Wizard, click Next.
Click Yes, export the private key, and then click Next.
.jpg "48c9106b-b2c6-447b-a495-5d946260f4f6")
On the Export file format page, click Personal Information Exchange – PKCS #12 (.PFX).
Select the Include all certificates in the certification path if possible check box.
Clear the Enable strong protection check box, and then click Next.
Complete the wizard by accepting all remaining default values and by indicating the disk or network share where you want to save the certificate.
Step 4.1.2 Import the certificate for the internal interface on the first edge server
Use the following procedure to import the certificate to the internal interface of your Access Edge Server or of the first Access Edge Server in an array.
To import the certificate for the internal interface
Log on to your Office Communications Server 2007 Access Edge Server as a member of the Administrators group and the RTC Local Administrators group.
On the Access Edge Server, insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next.
On the Import Certificate page, type the full path and file name of the certificate that you exported from the Access Proxy in the Path and file name box (or click Browse to locate and select the certificate), clear the Mark cert as exportable check box, and then click Next.
On the Import Certificate password page, type the password that you used when you exported the certificate from the Access Proxy in the Password box, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Step 4.1.3 Verify that the CA is on the list of trusted root CAs
For each Access Edge Server that you deploy, use the following procedure to verify that the CA for the edge server is on the list of trusted root CAs.
To verify that your CA is on the list of trusted root CAs
On the Access Edge Server, open an MMC console: Click Start, and then click Run. In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
In the Add Standalone Snap-ins box, click Certificates, and then click Add.
In the Certificate snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
Click Close, and then click OK.
In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
In the details pane, verify that your CA is on the list of trusted CAs.
Step 4.1.4 Import the certificate on subsequent Access Edge Servers (if you are deploying an Access Edge Server array)
For each Access Edge Server that you deploy, use the following procedure to import the certificate for an additional Access Edge Server if you are using an Access Edge Server array.
To import the certificate for the internal interface
Log on to your Office Communications Server 2007 Access Edge Server as a member of the local Administrators group and the RTC Local Administrators group.
Insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click from Import a certificate a .pfx file, and then click Next.
On the Import Certificate page, type the full path and file name of the certificate that you exported from the Access Proxy in the Path and file name box (or click Browse to locate and select the certificate), clear the Mark cert as exportable check box, and then click Next.
On the Import Certificate Password page, type the password that you used when you exported the certificate from the Access Proxy in the Password box, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Step 4.1.5 Assign the certificate on the Access Edge Server
For each Access Edge Server that you deploy, use the following procedure to assign the certificate to the internal interface.
To assign the certificate to the internal interface of the edge server
Log on to your Office Communications Server 2007 Access Edge Server as a member of the Administrators group and the RTC Local Administrators group.
On the Access Edge Server, insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next.
On the Available Certificates page, click the certificate that you requested for the internal interface of this edge server, and then click Next.
On the Available Certificate Assignments page, select the Access Edge Server Private Interface check box (the server interface on which you want to install the certificate), and then click Next.
On the Configure the Certificate(s) of Your Server page, review your settings, and then click Next to assign the certificates.
On the wizard completion page, click Finish.
Option 4.2 Configuring the Certificates with a Different Internal FQDN
If you are using a different internal FQDN for your Office Communications Server 2007 Access Edge Server than the one that you used on your Live Communications Server 2005 SP1 Access Proxy, use the following steps to set up a certificate on the internal interface for your Office Communications Server 2007 Access Edge Server. These steps are explained in detail in the following sections:
Download the CA certification path for the internal interface.
Install the CA certification path for the internal interface.
Verify that the CA is on the list of trusted root CAs.
Create the certificate request for the internal interface.
Import the certificate for the internal interface on the first edge server.
Export the certificate.
Import the certificate on other edge servers.
Assign the certificate for the internal interface to each edge server.
For most of these steps, you can use the Office Communications Server Certificate Wizard. You can start this wizard from the Office Communications Server 2007 installation media, as described in the following procedures, or from the Computer Management snap-in on your Access Edge Server.
Note
The procedures in this section are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CA, see the documentation that is provided by the CA. By default, all authenticated users have the necessary user rights to request certificates.
Step 4.2.1 Download the CA certification path for the internal interface
Use the following procedure to download the CA certification path on the internal interface of your Access Edge Server.
To download the CA certification path for the internal interface
With your Enterprise root CA offline and your Enterprise subordinate (issuing) CA Server online, log on to a server in the internal network (not the Access Edge Server) as a member of the Administrators group.
Click Start, click Run, type http://<name of your Issuing CA Server>/certsrv, and then click OK. If prompted, enter your user name and password.
Under Select a task, click Download a CA certificate, certificate chain, or CRL.
Under Download a CA Certificate, Certificate Chain, or CRL, click Download CA certificate chain.
In the File Download dialog box, click Save.
Save the .p7b file to the hard disk on the server, and then copy it to a folder on each Access Edge Server. Verify that the file contains all the certificates that are in the certification path. To view the certification path, open the server certificate, and then click the certification path.
Step 4.2.2 Import the CA certification path for the internal interface
Use the following procedure to import the CA certification path on the internal interface of your Access Edge Server.
To import the CA certification path for the internal interface
Log on to your Office Communications Server 2007 Access Edge Server as a member of the Administrators group and the Administrators group.
On the Access Edge Server page, insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
.jpg "c3f2abb1-3230-46cc-90a4-b61498cd8f0a")
On the Available Certificate Tasks page, click Import a certificate chain from a .p7b file, and then click Next.
On Import Certificate Chain page, type the full path and file name of the .p7b file in the Path and file name box (or click Browse to locate and select the file), and then click Next.
Click Finish.
Repeat this procedure on each edge server.
Step 4.2.3 Verify that the CA Is on the list of Trusted Root CAs
For each Access Edge Server that you deploy, use the following procedure to verify that the CA for the edge server is on the list of trusted root CAs.
To verify that your CA is on the list of trusted root CAs
On the Access Edge Server, open an MMC console: Click Start, and then click Run. In the Open box, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in, and then click Add.
In the Add Standalone Snap-ins box, click Certificates, and then click Add.
In the Certificate snap-in dialog box, click Computer account, and then click Next.
In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
Click Close, and then click OK.
In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
In the details pane, verify that your CA is on the list of trusted CAs.
Step 4.2.4 Create the certificate request for the internal interface
For each Access Edge Server that you deploy, use the following procedure to create the certificate request for the internal interface.
To create the certificate request for the internal interface
Log on to your Office Communications Server 2007 Access Edge Server as a member of the local Administrators group and the RTC Local Administrators group.
On the Access Edge Server, insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
On the Select a component page, select the Edge Server Private Interface check box, and then click Next.
On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box, and then click Next.
Note
If the Enterprise CA is reachable from the edge server, you can use the Send the request immediately to an online certification authority option. Because this is usually not the case, this procedure and other certificate request procedures in this guide do not cover the use of that option.
On the Name and Security Settings page, type a friendly name for the certificate, and then specify the bit length (typically, the default of 1024). Select the Mark cert as exportable check box, and then click Next.
On the Organization Information page, enter the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next.
On the Your Servers Subject Name page, type or select the subject name and subject alternate name of the edge server. The subject name should match the FQDN of the edge server that is published by the internal firewall for the internal interface on which you are configuring the certificate:
For the internal interface of the edge server, the subject name should match the name that your internal servers use to connect to the edge server (typically, the FQDN of the internal interface for the edge server).
If you are using a load balancer, the edge server traffic still uses the FQDN of the internal edge of the server (server name). If you are using a virtual IP address for the edge server, the certificate should match the FQDN of the virtual IP address that is used by this server role on the internal load balancer. For the internal interface, this is typically the published DNS name for the perimeter network that maps to the edge server.
Click Next.
On the Geographical Information page, type the location information, and then click Next.
On the Certificate Request File Name page, type the full path and name of the file to which the request is to be saved in the File name box (or click Browse to locate and select the file), and then click Next. A typical path and file name is C:\certrequest_AccessEdge.txt.
On the Request Summary page, click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Submit this file to your CA by e-mail or another method that is supported by your organization for your Enterprise CA. When you receive the response file, copy the new certificate to this computer so that it is available for import.
Step 4.2.5 Import the certificate on the internal interface
For each Access Edge Server that you deploy, use the following procedure to import the certificate on the internal interface of the Access Edge Server.
To import the certificate for the internal interface
On the Access Edge Server on which you created the certificate request, log on as a member of the Administrators group and the RTC Local Administrators group.
Insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available certificate tasks page, click Process the pending request and import the certificate, and then click Next.
Type the full path and file name of the certificate that you requested for the internal interface of the edge server (or click Browse to locate and select the certificate), and then click Next.
Click Finish.
Step 4.2.6 Export the certificate (if you have an Access Edge Server array)
If you are using an Access Edge Server array, use the following procedure to export the certificate from your Access Edge Server so that you can import it to other Access Edge Servers in your array.
To export the certificate for the internal interface for importing to other edge servers
On the edge server on which you requested and imported the certificate, log on as a member of the Administrators group and the RTC Local Administrators group.
Insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click Export a certificate to a .pfx file, and then click Next.
On the Available Certificates page, click the certificate that you imported to this edge server in Select a certificate list as described in the previous procedure, and then click Next.
On the Export Certificate page, type the full path and file name to which you want to export the certificate in the Path and file name box (or click Browse to locate and specify a location and file), and then click Next.
On the Export Certificate Password page, type the password to used to import the certificate on the other edge servers in the Password box, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Copy the exported file to a location or media that is accessible by the other edge servers.
Step 4.2.7 Import the certificate for additional Access Edge Servers (if you have an Access Edge Server array)
If you are using an Access Edge Server array, use the following procedure to import the certificate to each Access Edge Server in the array.
To import the certificate for the internal interface of each Access Edge Server
On the other Access Edge Servers where you will import the certificate, log on as a member of the Administrators group and the RTC Local Administrators group.
Insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click Import a certificate from a .pfx file, and then click Next.
On the Import Certificate page, type the full path and file name of the certificate that you exported from the first edge server in the Path and file name box (or click Browse to locate and select the certificate), clear the Mark cert as exportable check box, and then click Next.
On the Import Certificate Password page, type the password that you typed when you exported the certificate from the first server in the Password box, and then click Next.
On the wizard completion page, verify successful completion, and then click Finish.
Step 4.2.8 Assign the certificate on the internal interface of each Access Edge Server
Use the following procedure to assign the certificate to the internal interface of each Access Edge Server in the array.
To assign the certificate to the internal interface of the edge server
Log on to your Office Communications Server 2007 Access Edge Server as a member of the Administrators group and the RTC Local Administrators group.
Insert the Office Communications Server 2007 CD, and then click Setup.exe.
In the Deployment Wizard, on the Deploy Edge Server page, beside Step 4: Configure Certificates for the Edge Server, click Run to start the Certificate Wizard.
On the Welcome page, click Next.
On the Available Certificate Tasks page, click Assign an existing certificate, and then click Next.
On the Available Certificates page, select the certificate that you requested for the internal interface of this edge server, and then click Next.
On the Available Certificate Assignments page, select the Edge Server private interface check box (the server interface on which you want to install the certificate), and then click Next.
On the Configure the Certificate(s) of Your Server page, review your settings, and then click Next to assign the certificates.
On the wizard completion page, click Finish.