The main point of this article was to clear up some confusion as to how
connectivity to a PIC provider works with multiple SIP domains as PIC providers
ignore Subject Alternative Name (SAN) names in a certificate. So if we have
multiple SIP domains, how exactly do we achieve PIC federation with multiple SIP
domains? Well, read on and I’ll tell you!
Public IM Connectivity takes advantage of federation to allow users to talk with
Yahoo, MSN, and AOL. Allowing your users to communicate with these providers is
not all or nothing. You can choose to allow users to communicate with one PIC
provider, two PIC providers, or all three.
If you take a look at the OCS doumentation, it clearly states that for
Federation, you need a DNS record of _sipfederationtls._tcp.<domain>, over port
5061. <domain> will be your SIP domain. When you install an Access Edge, you
specify an External Access Edge FQDN. So let’s say our main SIP Domain is
exchange.shudnow.net. We may specify our External Access Edge FQDN as
sip.exchange.shudnow.net. So our Federation DNS record will be _sipfederationtls._tcp.shudnow.net
that points to sip.exchange.shudnow.net. This is possible because both
namespaces match up. You cannot have an SRV record point to an A record that
belongs to a different namespace.
So, what do we do for all our other SIP domains? Well, when we install the Edge,
we will specify that we have multiple SIP domains and those SIP domains get
added to the Subject Alternative Name (SAN) of the certificate. This allows us
to create different Federation DNS entries and point them to an A record that
matches the FQDN specifed in one of the SAN entries of the certificate assigned
to the Access Edge role.
But as stated earlier, PIC providers ignore SAN names. So how do we allow
federation to multiple SIP domains? These SRV records are only used for
open/enhanced federation where we want to allow domains to automatically
federate with our OCS organization. PIC does not use open/enhanced federation.
It uses something called Direct Federation which is where you specify what SIP
domains belong to a specific Access Edge FQDN.
So let’s say in my organization, I have the following SIP domains:
* exchange.shudnow.net
* sales.shudnow.net
* marketing.shudnow.net
When setting up PIC on Microsoft’s Licensing Website, you would specify that for
each of these SIP domains, that the PIC provider would use the Common Name of
the External Access Edge FQDN. This may be sip.exchange.shudnow.net. So instead
of PIC accessing the SRV records for each domain which wouldn’t work unless PIC
starts to not ignore SANs, each time it needs to communicate with a specific
domain, it will always use the Common Name of the External Access Edge FQDN.
Because of this, your SRV records are not needed unless you plan on doing
Open/Enhanced Federation. You can read more about Federation and
MCITP
70-238 Deploying Messaging Solutions
with Microsoft Exchange Server 2007 from the
Server Deployment Guide here.
This blog provide all info on Microsoft, Cisco, COmptia and more exams training at certkingdom.com
No comments:
Post a Comment