Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

Microsoft OCS with IPC-R: SIP (M)TLS Trunking directpacket Product Supplement

directpacket Research www.directpacket.com 2

Contents Prepare DNS... 6 Prepare Certificate Template for MTLS... 6 1 Create a new certificate template... 6 2 Install New Certificate for OCS Front End Server... 9 3 Install Certificate in the local certificate store... 10 4 Configure OCS to use the new certificate... 14 5 Install the CA certificate on the OCS server.... 15 6 Configure OCS Route to Direct Packet IPC-R... 17 7 Configuring the Direct Packet IPC-R... 19 8 Add CA certificate to the DP IPC-R SIP Engine... 22 directpacket Research www.directpacket.com 3

About this Supplement Microsoft and Microsoft Office Communications Server are trademarks of the Microsoft Corporation. Direct Packet Research is not affiliated in any way. directpacket Research www.directpacket.com 4

IPC-R:Communicating with Microsoft OCS For this example configuration, we ll be using the following network layout. This document assumes OCS 2007 R2 is already installed and configured to operate with MOC (Microsoft Office Communicator) clients. This example outlines the steps for a Standard Edition Microsoft OCS 2007 R2 implementation. The configuration consists of a Microsoft Active Directory domain, Exchange and Office Communications Server (OCS) infrastructure. The directpacket solution integrates with Microsoft OCS to allow video endpoints and audio/voice only endpoints in local or disparate networks to communicate with OCS clients. In addition, directpacket solution will translate OCS SIP calls to H.323 calls if needed. directpacket Research www.directpacket.com 5

Prepare DNS Create a DNS A record for the Direct Packet IPC-R host in the desired DNS zone. Example: gw.dpint.net Prepare Certificate Template for MTLS This document assumes the administrator has some experience with Microsoft Certificate Services. A domain user account with the adequate permission to administer, request and create certificates is required. Note: the following REQUIRES an Enterprise version of Microsoft Server 2003 or 2008 Certificate Authority. Windows 2003/2008 Standard edition allows you to copy a template as described in these steps but only allows that copied template to be used in Server 2003/2008 Enterprise. 1 Create a new certificate template 1.1 On the root certificate authority server, open the Certificate Authority MMC. Start All Programs Administrative Tools Certificate Authority. In the left navigation pane, right click Certificate Templates and choose Manage. 1.2 Right click the Web Server template and choose Duplicate Template. 1.3 Choose Windows Server 2003, Enterprise Edition from the dialog box. directpacket Research www.directpacket.com 6

1.4 On the General tab, type a name for the new Template. 1.5 On the request Handling tab, set the Minimum Key size to 1024. Place a check in the box for Allow private key to be exported. 1.6 On the Request Handling tab, click the CSPs button. Place a check in the Microsoft Enhanced Cryptographic Provider v1.0. Click OK. 1.7 While back at the properties of the new template, select the Subject Name tab. Ensure the Supply in the request radio button is selected. directpacket Research www.directpacket.com 7

1.8 Select the Extensions tab. Double click Application Policies. Click Add. Select Client Authentication. Click OK for each of the open dialog boxes. 1.9 Verify Server and Client Authentication both appear in the Description of Application policies box. 1.10 Verify the new template is listed. 1.11 Close the Certificate Templates MMC. This will return you to the CA MMC. Right click Certificates Templates, choose new, then Certificates Template to Issue. directpacket Research www.directpacket.com 8

1.12 Choose the new template you just created from the list. Click OK. 1.13 Verify the new template is listed. 2 Install New Certificate for OCS Front End Server 2.1 While logged on the OCS Front End Server, navigate to the issuing domain certificate services website. https://server.domain/certsrv Login as the domain administrator or a user account with adequate permission to request certificates. Select the Request a Certificate hyperlink. 2.2 Click Advanced Certificate Request, then Create and Submit to this CA. Choose the new certificate template created in the previous steps. Fill in the appropriate OCS server fully qualified domain name and organizational information. Ensure CSP is: Microsoft Enhanced Cryptographic Provider v1.0. Ensure the Key size is 1024. Place a check in the box for Mark Key as Exportable. Ensure the DNS Server Alternative Name (SAN) is populated in the Attributes field. This should be the host name of the OCS Front End server. Example: if the OCS Front end server name is dpaus12.directpacket.net, the SAN attribute should be formatted as san:dns=dpaus12.directpacket.net Give a Friendly Name. Click Submit. directpacket Research www.directpacket.com 9

2.3 Answer Yes to the Web Access dialog box when prompted. 2.4 Choose to install the certificate. 2.5 Answer Yes to the Web Access dialog box when prompted. 2.6 The certificate is installed. 3 Install Certificate in the local certificate store 3.1 This step is needed for OCS to see and use this certificate. While on the OCS Front End, open the certificate stores in MMC. Press Start. Then type in MMC in the field. This will open an empty MMC console. Click File Add/Remove Snap In. 3.2 Choose Certificates from the list, then click Add. directpacket Research www.directpacket.com 10

3.3 Choose My User Account. Click Finish. 3.4 Choose Certificates from the list then click Add. 3.5 Choose Computer Account this time. 3.6 The certificates snap in should now have both the user and computer accounts listed in the left hand navigation pane. Note: save this snap in for future use by clicking File and Save. Navigate to the current user personal certificate store. Right click on the newly issued certificate. Choose All Tasks. Choose Export. 3.7 Click Next. directpacket Research www.directpacket.com 11

3.8 Select Yes, export the private key radio button. Click Next. 3.9 Place checks in the boxes shown. Click Next. 3.11 Save the certificate to disk. Click Save and Next. 3.12 Click Finish. directpacket Research www.directpacket.com 12

3.13 Next we need to import the certificate above into the local computer store so OCS can see and use it. Navigate to the personal certificate store for local computer account. Right click, choose All Tasks, then Import. 3.14 Click Next. 3.15 Select the certificate you just recently exported above. Click Next. 3.16 Enter the password. Place a check in Mark key as exportable and include all extended properties. Click Next. directpacket Research www.directpacket.com 13

3.17 Verify the certificate will be placed in the Personal store. Click Next. 3.18 Click finish. 4 Configure OCS to use the new certificate 4.1 Navigate to the Front End Properties of the OCS server. 4.2 Select the Certificates tab, then press the Select Certificates button. directpacket Research www.directpacket.com 14

4.3 Choose the certificate with the Friendly Name created in the previous steps. Click OK. 5 Install the CA certificate on the OCS server. 5.1 Skip this step if your domain policies have already implemented this trust. Navigate the issuing domain certificate services website. https://server.domain/certsrv Login as the domain administrator or a user account with adequate permission to request certificates. Click Download a CA certificate, certificate chain or CRL. 5.2 Choose the Current CA Certificate in the box. Select DER encoding method. Click Download CA Certificate Chain. Save the CA Certificate chain to the disk. 5.3 Open the Certificates MMC snap which we created previously. If you did not save the Certificates MMC, follow the steps previously outlined. Right click Certificates, All Tasks, Import. directpacket Research www.directpacket.com 15

5.4 Click Next on the Import Wizard dialog box. 5.5 Choose the certificate chain file we downloaded in prior steps. Click Next. 5.6 Verify the certificate chain will be placed in the Trusted Root Certification Authorities container. Click Next. 5.7 Click Finish. 5.8 Click OK. directpacket Research www.directpacket.com 16

5.9 Verify the CA certificate chain is listed in BOTH the Local Computer and Current User trusted root certification authorities stores. 6 Configure OCS Route to Direct Packet IPC-R 6.1 Navigate to the OCS Front End Server. Verify the server is listening on port 5061 for MTLS (This is the default setting, so no changes need to be made). 6.2 To add the Direct Packet IPC-R as a trusted host, navigate to the Front End Properties of the OCS Server. 6.3 Select the Host Authorization tab. Add the FQDN of the Direct Packet IPC-R. Place a check in Throttle As Server and Trust As Authenticated. Click OK. directpacket Research www.directpacket.com 17

6.4 Add a Static Route rule. Select the Routing tab. Add the FQDN of the DPR IPC-R in the Domain field. Specify the FQDN of the DPR IPC-R in the FQDN field. Select the Transport Type: TLS. Specify the port: 5061 Click OK on all open dialog boxes. 6.5 Set OCS for optional media encryption. Navigate to Front End Pool Properties. Select Support Encryption from the drop-down box. directpacket Research www.directpacket.com 18

7 Configuring the Direct Packet IPC-R 7.1 SIP Configuration: Navigate to: Transport Configuration SIP Configuration. Click the Trunk Configuration link at the top. Press the Create Trunk button. Enter a Trunk Name. Select TLS as the Transport Type in Inbound and Outbound Settings. Press the Create Trunk button. 7.2 Create a Prefix: Click the Prefix Configuration link at the top. Press the Create Prefix button. Enter a Prefix name or number. Click the Create Prefix button. 7.3 Configure Certificates Create a new Key Set (a key set consists of a RSA private key, a certificate request and a signed certificate) Click the TLS Keys link at the top. Press the Create Key Set button. directpacket Research www.directpacket.com 19

7.4 Fill out the Certificate Signing Request Information. Click Create Request. 7.5 When CSR Creation Complete is displayed, click Return. 7.6 A Certificate Request will now be available for submission to the CA. Copy the CSR data to the workstation s clipboard. 7.7 In a new browser tab or window, navigate the issuing domain certificate services website. https://server.domain/certsrv Login as the domain administrator or a user account with adequate permission to request certificates. Select the Request a Certificate hyperlink. directpacket Research www.directpacket.com 20

7.8 Click the Advanced Certificate Request hyperlink. 7.9 Paste the CSR into the Saved Request box provided. Select the Server and Client Auth certificate template we created earlier. Press the Submit button. 7.10 Select the Base 64 Encoded radio button. Click the Download Certificate button. Save to a safe location. 7.11 Return to the Direct Packet IPC-R web GUI. Open the newly downloaded certificate in a text editor. Copy and paste the new certificate data to your workstation s clipboard. 7.12 Paste the certificate data into the box provided on the TLS Keys page. Press the Save Certificate button. directpacket Research www.directpacket.com 21

8 Add CA certificate to the DP IPC-R SIP Engine 8.1 Navigate the issuing domain certificate services website. https://server.domain/certsrv Login as the domain administrator or a user account with adequate permission to request certificates. Click Download a CA certificate, certificate chain or CRL. 8.2 Select the Current CA certificate from the box. Choose Base 64 Encoding method. Click Download CA certificate. 8.3 Save the CA certificate to a safe location. Open the CA certificate in a text editor. Copy the contents to your workstation s clipboard. Return to the Direct Packet IPC-R web GUI. Click the TLS Settings link at the top. Choose the desired key set from the Select Active TLS Certificate dropdown box. Click Save Key Choice. Paste the CA certificate into the text area provided. Press the Save CA Cert button. 8.4 Configuration Complete. Now UAC s registered to the DPR IPC-R can dial MOC clients using 9username@ocsdomain.net The OCS test domain used in this example document is directpacketresearch.net and a valid Active Directory user is tester3, so the dial string from a non-moc UAC would be 9tester3@directpacket.net In this example, the DPR IPC-R host was created in the DNS zone dpint.net. MOC clients can dial UAC s registered to the DPR IPC- R using this domain. A valid UAC in the IPC-R community is 3324, so dial: 3324@gw.dpint.net from a MOC client. directpacket Research www.directpacket.com 22