Certificate Requirements for External User Access
Topic Last Modified: 2012-01-24
The following sections summarize the certificate requirements for the internal and external interfaces of Edge Servers.
Each Edge Server must have a certificate on the internal interface, between the perimeter network and the internal network. All three Edge Server services on that server share this certificate. The subject name of the certificate must match the internal FQDN of the Access Edge service of that Edge Server.
These guidelines apply to Edge Servers at both the data center and at remote sites.
Each Edge Server requires two certificates on the external interface—one for the Access Edge service, and one for the Web Conferencing Edge service. (The A/V Edge service does not require a certificate.) Each of these certificates must have a subject name that matches the external FQDN of that edge service on that server.
For external certificates, public certificates are required for public IM connectivity, and to enable anonymous users to be invited to Web conferencing meetings. Public certificates also provide enhancements to federation relationships. Additionally, if you want to support public IM connectivity with AOL, AOL requires a certificate configured for both client and server authorization.
|If you are deploying your Edge servers on Windows Server 2008 or Windows Server 2008 R2 and are configuring public IM connectivity with America Online (AOL), the communication with AOL may fail. The issue is newer certificate cipher suites that are introduced in Server 2008 and Server 2008 R2 and how Office Communications Server 2007 R2 recognizes the new cipher suites. See the following for more information: http://go.microsoft.com/fwlink/?linkid=3052&kbid=975858, http://go.microsoft.com/fwlink/?LinkId=241555 and http://go.microsoft.com/fwlink/?LinkId=241557|
An additional certificate is required for audio/video (A/V) authentication. The private key of the A/V authentication certificate is used to generate authentication credentials.
This can be an internal certificate, but as a security precaution, you should not use the same certificate for A/V authentication that you use for any of the Edge Server services.
The same A/V authentication certificate must be installed on each Edge Server if multiple servers are deployed in a load-balanced array. This means that the certificate must be from the same issuer and use the same private key.