Other parts in this series:
Last time we left off about halfway through the OCS 2007 installer. This part should run through the end of the initial installation process. I’ll cover some of the initial configuration on the next part.
Configure Internal Certificate
The Configure Server section should now have a green checkmark next to it. Click the Run button under Configure Certificate to continue.
The Configure Certificate Wizard should start. Press Next to continue.
Choose Create a new certificate and press Next.
Choose Send the request immediately to an online certification authority and press Next.
Give the certificate a meaningful friendly name, uncheck Mark cert as exportable and press Next. We shouldn’t ever need to export the certificate from the front-end server.
Fill in organization and organization unit names and press Next.
Leave the subject name as the fully qualified name of the internal OCS machine, tap-ocs-2k7.ptown.com. In the subject alternate name (SAN) box enter tap-ocs-2k7.ptown.com,sip.confusedamused.com. Press Next.
Note: The reason the first SAN listed must be the same as the subject name is because of how ISA 2006 handles the reverse proxy. If we only left sip.confusedamused.com as the sole SAN entry everything would work fine internally, but we’d run into problems with the reverse proxy later. Since we’ll later tell ISA the internal site name is tap-ocs-2k7.ptown.com, but when it connects it tries to match the subject name to the first SAN listed. When it doesn’t line up ISA throws an Error 500 - Service Principal Name Incorrect. Doing the certificate this way now removes some unnecessary work later. You can read some more about this ISA issue here.
Enter a state and province and press Next.
The certificate authority, tap-dc-2k3.ptown.com\P-Town Certificate Authority, should already be detected. Press Next.
Review the certificate information and press Next to generate the certificate.
The success message should appear. Press the Assign button to use the certificate just created for OCS services.
A message indicating the certificate was applied should appear. Press OK.
Click Finish to close the certificate wizard.
Assign Web Components Certificate
Open IIS Manager, expand the Web Sites folder, right-click on the Default Web Site and choose Properties.
![clip_image002[5]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0025.jpg)
Click on the Directory Security tab.
![clip_image004[5]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0045.jpg)
Click the Server Certificate button to start the Web Server Certificate Wizard.
Press Next to start the process.
![clip_image006[5]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0065.jpg)
Choose Assign an existing certificate and press Next.
![clip_image008[5]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0085.jpg)
Select the certificate that was issued to tap-ocs-2k7.ptown.com and press Next.
Leave the default SSL port of 443 and press Next.
![clip_image012[5]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0125.jpg)
Review the certificate summary and press Next.
![clip_image014[5]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0145.jpg)
A success message appears. Click Finish to close the wizard.
![clip_image016[5]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0165.jpg)
Warning: The service accounts RTCService and RTCComponentService do not have have the Password Never Expires option selected by default. Unless you want those account passwords to be changed with the default domain policy I would recommend going into Active Directory Users & Computers and making sure those passwords don’t expire. If they do expire your OCS services won’t start.
Start Services
At this point the OCS services can started. Flip back to the OCS installer and click the Run button under Start Services.
![clip_image002[7]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0027.jpg)
The Start Services Wizard should open. Press Next to continue.
![clip_image004[7]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0047.jpg)
Press Next again to start the list of services found.
![clip_image006[7]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0067.jpg)
A success dialog will appear when it finishes. Check the box to view the log if desired, but press Finish to continue.
![clip_image008[7]](http://www.confusedamused.com/wp-content/pictures/2008/03/clip-image0087.jpg)
At this point, OCS is up and running, but will not pass many of the validation tests. Exit the installer completely. I’ll cover the DNS configuration in the next part of this series.
March 26th, 2008 at 8:26 am
Very nice tutorial, but a little sidenote.
If you are using a CSR and an external CA to create your certificates be very explicit to them that you need a SAN (Subject Alternative Name) type certificate. Else during the SSL signing process the Subject Alternative Name might be dropped. In this case the services will not start either telling you that the Subject Name isnt in the trusted server list…
April 21st, 2008 at 11:27 pm
I have configure first on OCS server then edge server and now want to configure reverse proxy server… I have successfully completed all the steps and validation tests fails… when will I able to get the next part…
Thanks…
Regards, Nitin
May 28th, 2008 at 1:30 pm
[...] OCS Installation - Part 2 [...]
June 5th, 2008 at 7:36 am
Do you know the extent of the changes to IIS 6.0 that OCS 2007 makes during the install? The reason I ask: the OCS 2007 upgrade from LCS 2005 hosed the authentication to some critical sites we had nested as virtual directories underneath the default web site in IIS.
Any insight would be greatly appreciated.
Ron
June 5th, 2008 at 9:59 am
Thanks for providing this great documentation. I’m trying to add external connectivity to our existing MOCS 2007 (Ent) install. The process is quite complicated and the docum,enmtation from Microsoft leaves a lot to be desired. Will there be 3rd part to these instructions?
June 5th, 2008 at 10:00 am
oops, my bad there it is. Thanks
June 10th, 2008 at 4:14 pm
Hello there,
We are also installing Microsoft Office Communications server. But after doing the certificate wizard, which was done by asking a certificate authority server to provide us a trial certificate, we get an error 0xC3EC794B which tells that the Specified Role does not match the installed product id. Does this have to do with the certificate that we installed? Or have we done a wrong configuration during steps 1 - 6. Hoping for a response. Thanks and more power to your site!
June 18th, 2008 at 11:52 am
I am following Microsoft’s OCS lab setup instructions. I have created a new certificate template for server authentication by duplicating the web server template and configured it for autoenrollment. However, I don’t see the template when I use http://contoso.ad/certsrv or in the OCS deployment/configure certificate wizard. I see that a certificate based on this template has been issued in the consol Root/Certificates(local Computer)/Personal/Certificates. Any insight would be greatly appreciated.
Sylvester
June 22nd, 2008 at 12:45 pm
Kristin Make sure the /role:xx is correct for your versionm whether ee or se when you run the validation check
July 2nd, 2008 at 12:19 am
How many SAN on ISA 2006 with OCS 2007 and Exchange 2007 OWA anywhere. Is this right ?
When ISA 2006 has a listener for https and it is used for Exchange 2007 OWA, the SSL listener certificate will have Subject Alternative Names (SAN) of mail.myorg.local, mail.myorg.com, autodiscover.myorg.com and thirdly SAN names of sip.myorg.com, im.myorg.com. when you have OCS 2007.
Does ISA 2006 only read 2 SAN names anyway?
Out_theBack
July 2nd, 2008 at 7:18 am
ISA will read all the SANs in a cert on a listener. The limitation comes in if you use a SAN on the internal web site that you are reverse proxy-ing.
July 22nd, 2008 at 10:23 pm
Thanks, Its nice post. Saved many hours.