Planning for Certificates
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Communicator Web Access uses digital certificates to authenticate servers and users. Before you install Communicator Web Access, you must configure the computer with trusted certificates for MTLS (mutual Transport Layer Security) and Secure Sockets Layer (SSL):
MTLS certificate
An MTLS certificate is required on all Communicator Web Access servers and on any load balancer that is associated with an array of Communicator Web Access servers. The MTLS certificate is used to authenticate connections between Communicator Web Access and Office Communications Server 2007. All MTLS certificates must be issued by the same trusted certification authority that issued the MTLS certificates on Office Communications Server 2007.
Important
An MTLS connection will succeed only if the subject name for the MTLS certificate is the FQDN (fully qualified domain name) of the Communicator Web Access server.
SSL certificate
An SSL certificate is required on all Communicator Web Access servers and on any load balancer that is associated with an array of Communicator Web Access servers. The SSL (Secure Sockets Layer) certificate is used by clients that are connecting to the Communicator Web Access server. Each virtual server that is configured with HTTPS (HTTP with SSL) must have an SSL certificate. The CA that issues the SSL certificate for Communicator Web Access does not have to be the same one that issues the Office Communications Server 2007 SSL certificates or the MTLS certificates.
If you are deploying a custom authentication solution, including SSO (single sign-on), or you are publishing Communicator Web Access to the Web by using SSL, there are additional certificates:
The Communicator Web Access virtual server is enabled for custom authentication, and an ISA Server 2006 with an SSO-enabled Web listener is deployed.
SSL-based Web publishing is introduced.
Note
Computers in your Communicator Web Access such as load balancers and reverse proxies may have additional certificate requirements that are imposed by the hardware manufacturer or software vendor. See your vendor documentation for details.
MTLS Certificates
The MTLS certificate identifies the Communicator Web Access server to the Office Communications Server 2007 server or pool. The subject of the Communicator Web Access certificate, which can be configured in the Communicator Web Access Manager, is always the FQDN of the Communicator Web Access server computer. This certificate must be issued by the same CA that issued the Office Communications Server 2007 MTLS certificates.
The MTLS certificate must be configured as shown in Table 4.
Table 4: MTLS Certificate Configuration Requirements
| Certificate Field | Value |
|---|---|
Version |
3 |
Template Duplicated |
Web Server |
EKU |
Server Authentication (1.3.6.1.5.5.7.3.1) |
Private Key |
Enabled for Export |
Key Usage |
Digital Signature, Key Encipherment (a0) |
SSL Certificates
The SSL certificate authenticates users who are accessing the Communicator Web Access virtual server through a specific URL, which the user enters in a Web browser.
The HTTPS certificate must be configured as shown in Table 5.
Table 5: HTTPS Certificate Configuration Requirements
| Certificate Field | Value |
|---|---|
Version |
3 |
Template Duplicated |
Web Server |
EKU |
Server Authentication (1.3.6.1.5.5.7.3.1) |
Private Key |
Enabled for Export |
Key Usage |
Digital Signature, Key Encipherment (a0) |
The subject name of the SSL certificate corresponds to the FQDN of either the server or the load balancer if one is present. On a reverse proxy that is deployed in the perimeter network, the subject name of the SSL certificate corresponds to the FQDN of the reverse proxy. Table 6 summarizes the FQDN of the SSL certificate in several examples.
Table 6: Certificate Requirements
| Scenario | Certificate Subject Name |
|---|---|
Single Communicator Web Access virtual server on a computer named computer1.contoso.com No Web publishing No load balancing |
The server has an SSL certificate whose subject name is the FQDN of the server, in this case, computer1.contoso.com |
Two or more Communicator Web Access servers behind a load balancer with a virtual IP (VIP) address of cwaVIP.contoso.com No SSO or SSL Web publishing |
Each Communicator Web Access server behind the load balancer has an SSL certificate whose subject name is the FQDN of the load balancer, cwaVIP.contoso.com, regardless of the computer name. |
Two or more Communicator Web Access servers behind a load balancer with a VIP of: cwaVIP.contoso.com The VIP is SSL Web published with a reverse proxy that uses the URL cwaPub.contoso.com |
Each Communicator Web Access server behind the load balancer has an SSL certificate whose subject name is the FQDN of the load balancer, cwaVIP.contoso.com, regardless of the computer name The subject name of the external network listener certificate is the FQDN of the reverse proxy, cwaPub.contoso.com. |
Both NetBIOS names and FQDNs are supported as the subject name of a certificate when you request a certificate from a certification authority. For more information on how to configure certificates by using the NetBIOS name, see "How to Implement SSL with a Stand-Alone Certificate Server in Virtual Server 2005" at https://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=sslVS2005.