greg

Can someone tell me where I can find do***entation regarding configuring LCS
after installing a Verisign certificate? Specifically, what setting need to
be set on the server and on the client to enable LCS? We are able to
connect using TCP, but not using LCS.

I have read through all of the install/reference guides I can find and none
of them mention anything about this.

Thanks for your help.

chau le

I'm under the imipression that LCS needs to get a certificate from a CA
Authority in the domain not Verisign. Is there some sort of public
interface to the LCS server..is that why you're getting Verisgn cert?

-C-

danieldo

Hello Greg,

Hopefully the following answers your questions:

M/TLS connections
" If two or more Home Servers exists in the forest, then MTLS must be
configured.
" Home Servers use MTLS to communicate with each other.
" Client to Server communication can use TLS which is optional, but highly
recommended.
" TLS is required however, for any external connections that traverse
firewalls, proxies or NAT devices.
" Both MTLS and TLS use port 5061.
" Both MTLS and TLS require certificates which means a PKI must exists
internally or we need to use a vendor such as Verisign to obtain
certificates.

Certificate requirements
" M/TLS requires X.509 V3 certificates.
" For MTLS, we require both Server and Client authentication attributes
which is found in the EKU field of the certificate and for TLS we only
require Server authentication attribute.
" Both of these attributes are usually described using an OID.
" The OID for Server authentication is (1.3.6.1.5.5.7.3.1) and Client
authentication is (1.3.6.1.5.5.7.3.2).
" For MTLS, the common name of the certificate (subject field) must be the
FQDN of the Home Server.
" For TLS, the common name in most cases is sip.domain (i.e.
sip.microsoft.com), but can be the FQDN.
" In all cases, the Trusted Root CA certificate or certificate chain must
be imported onto every LC Server and every client computer that will use a
TLS connection.

Daniel Dorgan, MCSE
Enterprise Networking Support

--------------------
Can someone tell me where I can find do***entation regarding configuring LCS
after installing a Verisign certificate? Specifically, what setting need to
be set on the server and on the client to enable LCS? We are able to
connect using TCP, but not using LCS.

I have read through all of the install/reference guides I can find and none
of them mention anything about this.

Thanks for your help.

greg

This information is useful. Thank you.

However, I'm still wanting to know what the configuration information should
be when I go into my IIS manager, view the properties for my website, select
the "Directory Security" tab, and select "edit" in the "Secure
Communications" area. What should these settings be?

My LCS deployment currently is in a lab environment, but will be moving to
production soon. It's a single forest, single server, with no external
connections.

Thanks for your help.

greg

Can you explain (or point me in a direction that explains) the step you
mentioned below:
"> " In all cases, the Trusted Root CA certificate or certificate chain must

Thanks.

thomas wenzl [mvp]

Hello Greg,

have you looked at the deployment guide, yet?

the certificate that is created for the CA when setting it up
is called the root certificate.

If you use certificates for TLS that were created using your
enteprise certificate authority (CA), then all clients/servers using
that certificate must also trust your CA.

Just add the root certificate to the list of trusted sites.
You may also want to do this automatically using group
policies.

Regards
--
Thomas Wenzl [MVP for Live Communications Server]

Share what you know, learn what you don't!
(Deja/Google)

greg

No, I just thought I would come out here and post something without actually
trying to find the answer...

Of course, I read the deployment guide. My original post indicates that...

bob christian

I actually chuckled reading that. Many people do not actually admit to
reading the manuals.

Was it a VeriSign SSL certificate or a root certificate for your CA server?

Bob

bob christian

I actually chuckled reading that. Many people do not actually admit to
reading the manuals.

Was it a VeriSign SSL certificate or a root certificate for your CA server?

Bob

greg

I can understand why sometimes people need to ask "Did you even READ the
deployment guide?", but when it's stated up front... come on. I'm glad you
got a chuckle out of it, though. me, too.

It's actually a Verisign certificate we are using and I got it figured out
on Friday. Thanks for your interest.