Certificate Requirements for Edge Servers

Certificate Requirements for the Internal Interface

The following summarizes the certificate requirements for the internal interface of your edge servers:

• Each edge server in the perimeter network of the data center requires a certificate for the internal interface:

  • If you are deploying a load balancer with multiple collocated Access Edge Servers and Web Conferencing Edge Servers, use a single certificate with a subject name that matches the FQDN for the virtual IP address used by the Access Edge Servers on the internal load balancer of the servers. The following is an example.

    Certificate SN = accessedge_array.contoso.perimeter

• For Web Conferencing Edge Servers (collocated on the computer with the Access Edge Server), by default, this certificate is shared by the Web Conferencing Edge Server. If an A/V Edge Server is also collocated on the server, it also shares this certificate by default. If the servers are not collocated, you must use separate certificates for each server role.

• The A/V Edge Server in the perimeter network of the data center requires a certificate for the internal interface if it is running on a separate computer than the Access Edge Server. If you are deploying multiple A/V Edge Servers (with a load balancer), use a single certificate with a subject name that matches the FQDN for the virtual IP address used by the A/V Edge Server on the internal load balancer. The following is an example.

  Certificate SN = avedge_array.contoso.perimeter

• The Web Conferencing Edge Server in each remote site of a multiple-site edge topology requires a certificate on the internal interface with a subject name that matches the FQDN published on the internal interface of the firewall in the data center, and it should map to the Web Conferencing Edge Server in the remote site.

• The A/V Edge Server in each remote site of a multiple-site edge topology requires a certificate on the internal interface with a subject name that matches the FQDN published on the internal interface of the firewall in the data center, and it should map to the A/V Edge Server in the remote site.

Certificate Requirements for Each Topology

The following table summarizes the certificate requirements for the internal interface of each edge server role in the consolidated edge topology.

Table 48 Certificates for internal interface of the edge server in the consolidated edge topology

The following table summarizes the certificate requirements for the internal interface of each edge server role in the single-site edge topology.

Table 49 Internal Certificates for the single-site edge topology

The following table summarizes the certificate requirements for the internal interface of each edge server role in the scaled single-site edge topology.

Table 50 Internal Certificates for the scaled single-site edge topology

The following table summarizes the certificate requirements for the internal interface of each edge server in the remote site in a multiple edge site topology. The servers in the central site will use the same certificates as those in the scaled single-site topology.

Table 51 Internal Certificates for the remote site in a multiple-site edge topology

The following table summarizes the certificate requirements for the internal interface of each edge server role in the scaled remote-site edge topology.

Table 52 Internal Certificates for the scaled remote-site edge topology

Certificate Requirements for the External Interface

The certificate requirements for the external interface include the following:

• For each unique IP address on the external interface that you use for the Access Edge Server and Web Conferencing Edge Server, you will need a separate certificate. We recommend that you use a separate external IP addresses for each server role, even if all servers are collocated. An external certificate is not required on the A/V Edge Server.

• For the scaled single-site edge topology, we recommend that each server role use a separate VIP address on the external load balancer. A separate certificate matching the FQDN of each VIP address used by each Access Edge and Web Conferencing Edge server role must be installed on that server. For example, the Web Conferencing Edge Servers must have a certificate that matches the VIP address used by the Web Conferencing Edge Servers on the external load balancer. The certificate must be marked as exportable on the first physical computer where you configure the certificate and then imported into each additional computer in the array. An external certificate is not required for the A/V Edge Server array on the external interface.

• If you are deploying a multiple-site topology, the Web Conferencing Edge Server in the perimeter network of each remote site requires a certificate with a subject name that matches the external FQDN of the Web Conferencing Edge Server in the remote site. A certificate is not required for the external interface of the A/V Edge Server.

• If you are supporting public IM connectivity with AOL®, AOL requires a certificate configured for both client and server authorization. (For MSN® and Yahoo!®, a Web certificate will suffice).

• Public certificates are required if you enable Web conferencing and enable your users to invite anonymous participants (individuals from outside your organization that do not have Active Directory credentials).

• Public certificates are required for public IM connectivity, and they are highly recommended for enhanced federation. The public certificate must be from a public CA that is on the default list of trusted root CAs installed on the server.

  Note

  It is possible to use your Enterprise subordinate CA for direct federation, as well as for testing or trial purposes if all partners agree to trust the CA or cross-sign the certificate.

Certificate Requirements for Each Topology

The following tables summarize the certificate requirements for each topology.

The following table summarizes the certificate requirements for the external interface of each edge server role in the consolidated edge topology.

Table 53 External Certificates for the edge server in the consolidated edge topology

The following table summarizes the certificate requirements for the external interface of each edge server role in the single-site edge topology.

Table 54 External Certificates for the single-site edge topology

The following table summarizes the certificate requirements for the external interface of each edge server role in the scaled single-site edge topology.

Table 55 External Certificates for the scaled single-site edge topology

The following table summarizes the certificate requirements for the external interface of each edge server in the remote site in a multiple edge site topology. The servers in the central site will use the same certificates as those in the scaled single-site topology.

Table 56 External Certificates for the remote site in a multiple-site edge topology

The following table summarizes the certificate requirements for the external interface of each edge server role in the scaled remote-site edge topology.

Table 57 External Certificates for the scaled remote-site edge topology

A/V Authentication Certificate

For the A/V Edge Server, an additional certificate is required for audio/video authentication. The private key of the A/V authentication certificate is used to generate authentication credentials. As a security precaution, you should not use the same certificate for A/V authentication that you use for the internal interface of the A/V Edge Server (covered earlier in this guide).

The same A/V authentication certificate must be installed on each A/V Edge Server if multiple servers are deployed in a load balanced array. This means that the certificate must be from the same issuer and use the same private key. Refer to the Microsoft Office Communications Server 2007 Edge Server Deployment Guide for more information.