Create a Certificate for Enabling Mutual TLS in Unified Messaging

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

You can enable Voice over IP (VoIP) security for a Unified Messaging (UM) dial plan. By default, when a UM dial plan is created, it will use Unsecured mode or no encryption. When you configure the UM dial plan to use Session Initiation Protocol secured (SIP Secured) or Secured mode, the Unified Messaging servers that are associated with the UM dial plan will encrypt the SIP signaling traffic or the Realtime Transport Protocol (RTP) media channels and the SIP signaling traffic.

To enable a UM server to encrypt data that's sent between IP gateways and IP PBXs you must:

• Create a new self-signed or public certificate that you can use for mutual TLS.

• Associate a certificate with the UM server.

• Configure the UM dial plan as SIP Secured or Secured.

• Configure the startup mode on the UM server.

• Configure the listening port on the UM IP gateways to use TCP port 5061.

• Import the certificate on your IP gateways or IP PBXs.

Prerequisites

After you've installed the Unified Messaging server role, you'll have to create a certificate that can be used to encrypt data between a UM server and IP gateways or IP PBXs.

Use the EMC to create a new Exchange certificate

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "UM server" entry in the Unified Messaging Permissions topic. You must also log on by using an account that's a member of the local Administrators group on that computer.

1. In the console tree, click Server Configuration.

2. In the action pane, click New Exchange Certificate to open the New Exchange Certificate wizard.

3. On the Introduction page, enter a friendly name for your certificate.

4. On the Domain Scope page, don't select the Enable wildcarding for this certificate check box.

5. On the Exchange Configuration page > expand Unified Messaging server.

6. Select Self-signed certificate or Public certificate, enter the fully qualified domain name (FQDN) of your UM server in the Fully qualified domain name (FQDN) of your UM servers box, and then click Next.

7. On the Organization and Location page, enter information about your Exchange organization.

8. On the Certificate Completion page, verify that all the information you've entered is correct. If it is correct, click New.

9. On the Completion page, follow the steps that are listed there to complete your request. This page also contains the cmdlet syntax necessary to create a new certificate.

Use the Shell to create a new Exchange certificate

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "UM server" entry in the Unified Messaging Permissions topic. You must also log on by using an account that's a member of the local Administrators group on that computer.

This example creates a new Exchange certificate request for a UM server named MyUMServer with a friendly name of UMCert.

New-ExchangeCertificate -FriendlyName 'UMCert' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -DomainName '*.contoso.com' -SubjectName 'C=US,S=wa,L=redmond,O=contoso,OU=servers,CN=contoso.com' -Server 'MyUMServer'

Other Tasks

After you create a certificate for Unified Messaging, you may also want to:

• Assign Services to a Certificate

• Configure the Startup Mode on a UM Server

• Configure VoIP Security on a UM Dial Plan

 © 2010 Microsoft Corporation. All rights reserved.