Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
1
Replies

single inbox ssl

Ray Morehead
Level 1
Level 1

‎12-31-2012 06:27 AM - edited ‎03-19-2019 06:04 AM

Happy Holidays all!

Bear with me as I'm learning this by the seat of my pants, so my wording may not be accurate and if so just correct me....

We're working on setting up single inbox with exchange 2010. Our configuration:

Kemp Load Balancers>Exchange 2010>Unity Connection8.6

(all in a cluster)

During initial configuration testing we were able to get single inbox working by-passing the load balancers but now we need to secure it.

When we applied SSL on exchange, the connection broke....even after configuring Unity to use NTLM and HTTPS.

I installed the Tomcat trust certificate issued by Digicert(which i recieved from my ExchAdmin).

So thats where I am at, at this point.

My question: In the following cisco doc http://www.cisco.com/en/US/docs/voice_ip_comm/connection/8x/administration/guide/8xcucsag215.html#wp1069897

2. If a Connection cluster is configured, run the set web-security CLI command on both Connection servers in the cluster and assign both servers the same alternate name. The alternate name will automatically be included in the certificate signing request and in the certificate.

When I installed the certificate, I installed it as Tomcat-Trust....this seemed like the only place Unity would allow for me to upload it to. Is this correct?

And what exactly would be the alternate name? As I look at the cert that I installed, it shows the Issuer name and the Subject name....which one is correct? The Subject name is already in the altName list.

Am I even going in the right direction? I'm trying to understand this process better before messing with the cli as it looks like it could have some negative impact if I do this wrong.

Thanks for your time and your help....

~Ray

Labels:
0 Helpful
1 Reply 1

Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎12-31-2012 07:21 AM 

2. If a Connection cluster is configured, run the set web-security CLI command on both Connection servers in the cluster and assign both servers the same alternate name. The alternate name will automatically be included in the certificate signing request and in the certificate.

This has nothing to do with Single Inbox. This is for uploading a signed certificate for Unity Connection itself to avoid security warnings when using /ciscopca or /cucadmin. The Subject Alternate Name is used when you want to address both servers by the same DNS CNAM record. Example: cxnserver1.domain.com and cxnserver2.domain.com should both be accessible as voicemail.domain.com without a security warning.

All of the Single Inbox-related configuration is in this document:

http://www.cisco.com/en/US/docs/voice_ip_comm/connection/9x/unified_messaging/guide/9xcucumg020.html

Follow the procedure here to the letter. I recommend sitting down with your Exchange admin at the same table and doing it together. You can waste days of time by either of you skipping a step.

For example, you need to upload the root CA certificate which signed the Exchange CAS server certificate to the tomcat-trust and connection-trust stores.

Where I have seen this break with load balancers in the past is if the full certificate chain (root CA, intermediate signing CA, and actual Exchange CAS certificate) are not presented during the SSL handshake. In other words they uploaded only the Exchange CAS certificate to the load balancer; the full chain must be intact. The only way to see this from CXN is to run a packet capture and look at the certificates presented.

Please remember to rate helpful responses and identify helpful or correct answers.

0 Helpful
Customers Also Viewed These Support Documents