Preparing Certificates for Communicator Web Access
[This is preliminary documentation and is subject to change. Blank topics are included as placeholders.]
Communicator Web Access uses digital certificates to authenticate servers and users. This topic describes the configuration requirements for Communicator Web Access certificates and the computers on which the certificates must be installed.
MTLS Certificates
Mutual Transport Layer Security (MTLS) certificates are used to authenticate connections between Communicator Web Access and the Office Communications Server or pool. An MTLS certificate is required on all computers that will run the Communicator Web Access virtual servers. The MTLS certificate that is used for the 2007 R2 version of Communicator Web Access and the MTLS certificate that is used for Office Communications Server 2007 R2 can be issued by the same trusted certification authority (CA) or a different CA.
The following table shows the MTLS certificate requirements.
Table 1. MTLS certificate configuration requirements
| Certificate Field | Value |
|---|---|
Subject Name |
FQDN of the Communicator Web Access server computer |
Version |
3 |
Template Duplicated |
Web Server |
EKU |
Server Authentication (1.3.6.1.5.5.7.3.1) |
Private Key |
Enabled for Export |
Key Usage |
Digital Signature, Key Encipherment (a0) |
SSL Certificates
Secure Sockets Layer (SSL) certificates are used to authenticate clients that connect to the Communicator Web Access virtual server using a specific URL, which the user enters in a Web browser, and is required on the following computers:
- All Communicator Web Access virtual servers that are configured to use HTTP with SSL (HTTPS)*
- Any load balancer that is associated with an array of Communicator Web Access servers and is also configured as an SSL accelerator to perform SSL decryption (required for load balancers for external virtual servers)
- Any reverse proxy that is used to publish a Communicator Web Access virtual server to the Web for external users
Note
*If Communicator Web Access server is configured to use HTTPS, all computers that use the Communicator Web Access client for desktop sharing are required to download and install the certificate chain for the CA that issued the Communicator Web Access SSL certificate.
The CA that issues the SSL certificates for Communicator Web Access can be a different CA from the one that issues the Office Communications Server SSL certificates or MTLS certificates.
Note
For detailed information about SSL certificate requirements for the reverse proxy and procedures to install the certificate on the reverse proxy, see “Digital Certificates for ISA Server 2004” at https://go.microsoft.com/fwlink/?LinkID=124312.
Note
Load balancers and reverse proxies can have additional certificate requirements that are imposed by the hardware manufacturer or software vendor. See your vendor documentation for details.
The following table shows the SSL certificate requirements.
Table 2. SSL certificate configuration requirements
| Certificate Field | Value |
|---|---|
Subject Name |
The URL of the Communicator Web Access virtual server. > [!NOTE] > If you have deployed a reverse proxy that uses a different URL on its external and internal interfaces, a separate SSL certificate is required for each interface. On the external interface of the reverse proxy, use a certificate with the FQDN of the reverse proxy as the subject name and, on the internal interface, use a certificate with the URL of the Communicator Web Access server as the subject name. |
Subject Alternate Name |
URL of the virtual server, as.<URL_of_the_virtualserver>, download.<URL_of_the_virtualserver>. For example, if your virtual server’s URL is im.contoso.com, the SAN value is im.contoso.com, as.im.contoso.com, download.im.contoso.com. |
Version |
3 |
Template Duplicated |
Web Server |
EKU |
Server Authentication (1.3.6.1.5.5.7.3.1) |
Private Key |
Enabled for Export |
Key Usage |
Digital Signature, Key Encipherment (a0) |
Configuring a Certificate Using a NetBIOS Name
Both NetBIOS names and FQDNs are supported as the subject name of a certificate when you request a certificate from a CA. For more details about how to configure certificates by using the NetBIOS name, see “How to Implement SSL with a Stand-Alone Certificate Server in Virtual Server 2005” at https://go.microsoft.com/fwlink/?LinkId=124316.