| Author |
Message |
Henrik
Guest
|
 Posted:
Thu Nov 10, 2005 1:50 pm Post subject:
Certificate Help badly needed |
|
|
I have set up an LCS environment with 1 LCS server and 1 Access Proxy.
However I am having trouble getting Remote Access working.
I bought a Thawte certificate and applied it to the external side of the
Access Proxy, however the outside Commnicator Client complains about a
certificate error.
I tried using the Diagnostic tool from the Res Kit, and it comes up with an
interesting error:
"The target principal name is incorrect. if <fqdn> is part of a pool, please
ignore this. If server is not part of a pool, server certificate does not
match the server FQDN. Please install on server a proper certificate"
My question is:
How do i verify that my server SN matches the FQDN ? As far as I can tell
from looking at the certificate, the hostname is fine. |
|
| Back to top |
|
 |
Brian Ricks (513399)
Guest
|
| Posted:
Fri Nov 11, 2005 5:51 pm Post subject:
RE: Certificate Help badly needed |
|
|
For the AP, the external cert must match the external 'A' record name of the
pool in DNS. When the client is attaching to the AP, it is passing this name
and it checks the FQDN of the external name against the external cert.
Internally the same holds true. Whatever the AP's DNS name is known as
internally, that should be the cert's name.
So, if you open the certificate and view it (in Windows itself or from
within the MMC on the AP), it should list the name as the DNS FQDN of the AP.
If they match then it should function OK (assuming the certificate authority
is known by the client and the server).
--
Brian Ricks
BriComp Computers
Beta ID 513399
"Henrik" wrote:
| Quote: | I have set up an LCS environment with 1 LCS server and 1 Access Proxy.
However I am having trouble getting Remote Access working.
I bought a Thawte certificate and applied it to the external side of the
Access Proxy, however the outside Commnicator Client complains about a
certificate error.
I tried using the Diagnostic tool from the Res Kit, and it comes up with an
interesting error:
"The target principal name is incorrect. if <fqdn> is part of a pool, please
ignore this. If server is not part of a pool, server certificate does not
match the server FQDN. Please install on server a proper certificate"
My question is:
How do i verify that my server SN matches the FQDN ? As far as I can tell
from looking at the certificate, the hostname is fine.
|
|
|
| Back to top |
|
|
Brian Ricks (513399)
Guest
|
| Posted:
Fri Nov 11, 2005 9:50 pm Post subject:
RE: Certificate Help badly needed |
|
|
Not a problem - my pleasure!
OK - so the external cvert you would use on this AP (and any others that
would be in the array at some point in time behind a load balancer) is:
lcs.company.com
From the Internet, anyone should be able to resolve lcs.company.com AND
telnet to lcs.company.com 5061. If that does not work, there are basic
networking issues.
The internal cert would need to be the name of the box internally...so, if
you internal DNS zone as internal.company.com the internal cert would be:
srvlcsap.internal.company.com
Just like outside, this address should be resolveable via DNS and port 5061
should be obtainable from the Director or FE server who is being sent the
"next hop." This is a DNS resolution, so you must update the correct zone
with the name server name and whatever zone he lives in determines its FQDN.
--
Brian Ricks
BriComp Computers
Beta ID 513399
"Henrik" wrote:
| Quote: | Hi Brian, and thanks for your response.
Can we use an example to make sure I understand you fully ?
Our AP is in a DMZ zone, and can be accessed from the internet using an
adress similar to "lcs.company.com" which is also the adress on the Thawte
certificate.
The server itself is a Windows 2003 Server, running in a workgroup (no
domain) and it's name is "srvLcsAP"
Looking forward to your reply.
Best Regards,
Henrik
Using the above example, what should be the hostname on the certificate ?
"Brian Ricks (513399)" wrote:
For the AP, the external cert must match the external 'A' record name of the
pool in DNS. When the client is attaching to the AP, it is passing this name
and it checks the FQDN of the external name against the external cert.
Internally the same holds true. Whatever the AP's DNS name is known as
internally, that should be the cert's name.
So, if you open the certificate and view it (in Windows itself or from
within the MMC on the AP), it should list the name as the DNS FQDN of the AP.
If they match then it should function OK (assuming the certificate authority
is known by the client and the server).
--
Brian Ricks
BriComp Computers
Beta ID 513399
"Henrik" wrote:
I have set up an LCS environment with 1 LCS server and 1 Access Proxy.
However I am having trouble getting Remote Access working.
I bought a Thawte certificate and applied it to the external side of the
Access Proxy, however the outside Commnicator Client complains about a
certificate error.
I tried using the Diagnostic tool from the Res Kit, and it comes up with an
interesting error:
"The target principal name is incorrect. if <fqdn> is part of a pool, please
ignore this. If server is not part of a pool, server certificate does not
match the server FQDN. Please install on server a proper certificate"
My question is:
How do i verify that my server SN matches the FQDN ? As far as I can tell
from looking at the certificate, the hostname is fine.
|
|
|
| Back to top |
|
|
Henrik
Guest
|
| Posted:
Fri Nov 11, 2005 9:50 pm Post subject:
RE: Certificate Help badly needed |
|
|
Hi Brian, and thanks for your response.
Can we use an example to make sure I understand you fully ?
Our AP is in a DMZ zone, and can be accessed from the internet using an
adress similar to "lcs.company.com" which is also the adress on the Thawte
certificate.
The server itself is a Windows 2003 Server, running in a workgroup (no
domain) and it's name is "srvLcsAP"
Looking forward to your reply.
Best Regards,
Henrik
Using the above example, what should be the hostname on the certificate ?
"Brian Ricks (513399)" wrote:
| Quote: | For the AP, the external cert must match the external 'A' record name of the
pool in DNS. When the client is attaching to the AP, it is passing this name
and it checks the FQDN of the external name against the external cert.
Internally the same holds true. Whatever the AP's DNS name is known as
internally, that should be the cert's name.
So, if you open the certificate and view it (in Windows itself or from
within the MMC on the AP), it should list the name as the DNS FQDN of the AP.
If they match then it should function OK (assuming the certificate authority
is known by the client and the server).
--
Brian Ricks
BriComp Computers
Beta ID 513399
"Henrik" wrote:
I have set up an LCS environment with 1 LCS server and 1 Access Proxy.
However I am having trouble getting Remote Access working.
I bought a Thawte certificate and applied it to the external side of the
Access Proxy, however the outside Commnicator Client complains about a
certificate error.
I tried using the Diagnostic tool from the Res Kit, and it comes up with an
interesting error:
"The target principal name is incorrect. if <fqdn> is part of a pool, please
ignore this. If server is not part of a pool, server certificate does not
match the server FQDN. Please install on server a proper certificate"
My question is:
How do i verify that my server SN matches the FQDN ? As far as I can tell
from looking at the certificate, the hostname is fine.
|
|
|
| Back to top |
|
|
Henrik
Guest
|
| Posted:
Mon Nov 14, 2005 5:50 pm Post subject:
RE: Certificate Help badly needed |
|
|
I think I found what the problem might be.
In the technical overview documentation, they mention a DNS srv record:
------------------ Quote ------------------
A DNS SRV (service location) record for_sip._tls.<domain>, where <domain> is
the name of your organization’s SIP domain. This SRV record must point to the
A record of the Access Proxy. This SRV record supports branch office
scenarios, remote access by means of direct connection to the Access Proxy,
and internal Windows Messenger 5.1 clients.
-------------- End Quote ----------------------
From what I understand from reading the above, I need to add a dns record to
the external DNS server, which hosts the "lcs.company.com" zone ? And if so,
should the record be like this ?
_sip._tls.lcs.company.com lcs.company.com
If possible, can you provide me with me with an example of your DNS zone
file for your domain (feel free to alter the name for privacy reasons) ?
Best Regards,
Henrik
"Brian Ricks (513399)" wrote:
| Quote: | Not a problem - my pleasure!
OK - so the external cvert you would use on this AP (and any others that
would be in the array at some point in time behind a load balancer) is:
lcs.company.com
From the Internet, anyone should be able to resolve lcs.company.com AND
telnet to lcs.company.com 5061. If that does not work, there are basic
networking issues.
The internal cert would need to be the name of the box internally...so, if
you internal DNS zone as internal.company.com the internal cert would be:
srvlcsap.internal.company.com
Just like outside, this address should be resolveable via DNS and port 5061
should be obtainable from the Director or FE server who is being sent the
"next hop." This is a DNS resolution, so you must update the correct zone
with the name server name and whatever zone he lives in determines its FQDN.
--
Brian Ricks
BriComp Computers
Beta ID 513399
"Henrik" wrote:
Hi Brian, and thanks for your response.
Can we use an example to make sure I understand you fully ?
Our AP is in a DMZ zone, and can be accessed from the internet using an
adress similar to "lcs.company.com" which is also the adress on the Thawte
certificate.
The server itself is a Windows 2003 Server, running in a workgroup (no
domain) and it's name is "srvLcsAP"
Looking forward to your reply.
Best Regards,
Henrik
Using the above example, what should be the hostname on the certificate ?
"Brian Ricks (513399)" wrote:
For the AP, the external cert must match the external 'A' record name of the
pool in DNS. When the client is attaching to the AP, it is passing this name
and it checks the FQDN of the external name against the external cert.
Internally the same holds true. Whatever the AP's DNS name is known as
internally, that should be the cert's name.
So, if you open the certificate and view it (in Windows itself or from
within the MMC on the AP), it should list the name as the DNS FQDN of the AP.
If they match then it should function OK (assuming the certificate authority
is known by the client and the server).
--
Brian Ricks
BriComp Computers
Beta ID 513399
"Henrik" wrote:
I have set up an LCS environment with 1 LCS server and 1 Access Proxy.
However I am having trouble getting Remote Access working.
I bought a Thawte certificate and applied it to the external side of the
Access Proxy, however the outside Commnicator Client complains about a
certificate error.
I tried using the Diagnostic tool from the Res Kit, and it comes up with an
interesting error:
"The target principal name is incorrect. if <fqdn> is part of a pool, please
ignore this. If server is not part of a pool, server certificate does not
match the server FQDN. Please install on server a proper certificate"
My question is:
How do i verify that my server SN matches the FQDN ? As far as I can tell
from looking at the certificate, the hostname is fine.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in