7. On the Advanced Certificate Request form, fill

Figure 4-17 Certificate Templates When requesting certificates for your LCS servers or pools, you select from a Certificate template. A certificate template is a pre-built set of certificate properties that reduces the time involved in requesting the certificate you need. When requesting an LCS certificate for your servers and pools, the Web Server Certificate template is often used because its configuration matches the one required for a certificate used within an LCS environment enabled with TLS. The only properties that would then need to be filled out include the subject name or common name, the validity period, and other custom fields. If you are not satisfied with the Web Server Certificate template, you can create a customized template of your own. Certificate MMC Console Within each Windows desktop or server operating system, you have the capability to request a certificate, import certificates, export certificates, and add additional functionality. Using the MMC console, a client machine can request or import the Root CA certificate that is required for its mutual trust. From an LCS server, you can also use the MMC console to request, import, or export the certificate required to run on the server. 103 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

7. On the Advanced Certificate Request form, fill

7. On the Advanced Certificate Request form, fill out the required fields for your certificate as follows: . Certificate Template: Choose the appropriate template, such as the Web Server template. If you want the key automatically stored within the local machine s personal certificate store, select the Store certificate in the local computer certificate store checkbox. . Friendly Name: Enter the FQDN of your LCS server or pool in this field, as shown in Figure 4-15, e.g., LCSPool1.Domain.Company.com, LCSPool1.Company.com, LCSServer1.Company.com, etc. Figure 4-15 8. Click the Submit button. 9. The Potential Scripting Violation warning message may appear. Click the Yes button. 10. The Certificate Issued page, shown in Figure 4-16, will open. Click the Install This Certificate link to install the certificate. 101 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Figure 4-12 The following properties are of critical

Validity Period In some cases, when a client cannot connect, it is due to the validity period of the certificate. The validity period of a certificate identifies when a certificate is active and when it will expire. Some organizations enable Certificate Revocation Services so that certificates within their network infrastructure automatically expire based on a specific rule or time frame. When requesting your LCS certificates, it is important to set the validity period correctly and to keep track of the expiration date so that the certificate can be renewed. If you have Microsoft Operations Manager 2005, you will be alerted that the certificate has expired; otherwise, you will only start to see problems in your environment when clients cannot connect or servers cannot authenticate with one another. As an example, the following table outlines the properties of a certificate that will be used for an LCS 2005 SP1 Enterprise Edition Pool Server or LCS 2005 SP1 Standard Edition server: Server or Pool CN / Friendly Name EKU Valid From/To Server LCSServer1.Company.com Server Authentication 01/01/2006 01/01/2007 Pool LCSPool1.Company.com Server Authentication 01/01/2006 01/01/2007 Certificate Deployment There are several ways to request certificates for servers and client machines. The following sections describe the most commonly used processes for requesting certificates within a Microsoft Windows Server infrastructure. Certsrv Website Some organizations that deploy an internal Windows Certificate Authority will enable a feature within Microsoft Internet Information Services (IIS) for certificate enrollment. This is a new feature enabled within Microsoft Windows 2003. This feature provides a web-based application that enables a user to request a certificate and fill out the certificate properties online. To use the IIS Certsrv website to request a certificate for your LCS pool or server, perform the following steps: 1. Open Internet Explorer. 2. Browse to the URL of your Certificate Services website, such as https://server/certsrv. 3. The Microsoft Certificate Services site will open (see Figure 4-13). 4. Under the Select a Task section of the main page, click the Request a Certificate link. 5. On the Request a Certificate page, click the Advanced Certificate Request link. 6. On the Advanced Certificate Request page, click the Create and submit a request to this CA link, as shown in Figure 4-14. 99 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Figure 4-12 The following properties are of critical

Figure 4-12 The following properties are of critical importance when requesting a certificate for an LCS server or pool: . Common name or subject name . Enhanced Key Usage . Validity period . Subject alternative name Common Name or Subject Name The common name or subject name of a certificate is an optional property to set when requesting a certificate. However, it is required when requesting a certificate for an LCS server or pool. The subject name/common name correctly identifies the name of the LCS server or pool as the name of the certificate. Correctly identifying a certificate common name or subject name is absolutely critical when requesting a certificate for your LCS server or pool because when an LCS client signs in, the service checks to make sure that the server or pool into which the client is logging matches the name of the certificate. If the name does not match, the client will not connect. If you understand this process, you will be able to master the most confusing element in deploying Live Communications Server 2005 SP1. Enhanced Key Usage The Enhanced Key Usage (EKU) field is the property of a certificate that identifies what the certificate is being used for. There are several EKU types, but when working with LCS, the requirement for the EKU of an LCS server or pool is Server Authentication. If LCS were authenticating a client certificate based on a user s name, the EKU would be Server and Client Authentication, but as explained earlier in this chapter, LCS does not require a specific user certificate, but only that the machine into which a user is signing with LCS trusts the certificate Root CA or chain. Recall that pre-LCS 2005 SP1 servers required both the Client and Server Authentication EKU type, but with LCS 2005 SP1, only a Server Authentication EKU type is required. 98 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

1. Insert the Microsoft Office Communicator CD into

Figure 4-11 Certificate Types You can select from several certificate EKU (Enhanced Key Usage) types when creating a digital certificate. Prior to LCS 2005, the requirement for an LCS Server Certificate was a Server and Client Authentication EKU certificate. With LCS 2005 SP1, only a Server Authentication EKU certificate is required because the chain is not actually authenticating a user certificate; it is authenticating that the client trusts the Certificate Authority. The Server Authentication EKU certificate is used to authenticate the LCS Standard Edition or Enterprise Edition servers within the Root CA chain. Figure 4-12 shows an example of an LCS Enterprise Edition Pool Server certificate. LCS Certificate Properties When requesting certificates for your LCS servers or LCS pools, several properties are extremely important. If these properties are not set correctly, your LCS environment will not work and much time will be lost in the process of going back again and requesting the right certificate. This is a huge concern for organizations that purchase public certificates and do not order the correct certificate the first time. LCS 2005 SP1 Environment IM session is initiated using TLS Client trusts against Root CA (Windows CA, VeriSign, etc) LCS Server Ceritficates trust against the same Root CA, matching clients 97 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

1. Insert the Microsoft Office Communicator CD into

1. Insert the Microsoft Office Communicator CD into the CD drive of the system that was used in the previous exercise. 2. Copy the communicator.adm template file to your %windir%inf directory; generally, this directory is C:windows.inf. 3. In the Active Directory Users and Computers Group Policy editor, right-click on RTCClientTest OU and select Properties. 4. Select the Group Policy tab and click the New button. 5. Name the new Group Policy object Communicator Client Test Policy and press Enter. 6. Select the Communicator Client Test Policy and select Properties. When the Communicator Client Test Policy Properties dialog box appears, select the Security tab. 7. Select the Authenticated Users group and uncheck Apply Group Policy. Do not add a Deny, which is explicit. 8. Select the Add button and search for the RTCClient Policy Test Group, clicking OK. This should add the group to the list of group or usernames within the policy s Properties box. 9. Ensure that read permissions are set to Allow. Select the Allow checkbox for Apply Group Policy. 10. Validate that no other groups or users have Apply Group Policy and then click Apply and OK. This group is being reused from the rtcclient.adm template testing performed earlier in this section. While a domain Admin, or other privileged account, should not be enabled for Live Communications for the same security reasons it should not be e-mail enabled, it is possible that a policy may need to be applied, and an explicit Deny would prevent this. As noted when the rtcclient.adm template was implemented in the preceding section, this is being performed now because it is a best practice to prevent a policy from being configured and accidentally applied to a client or set of clients, such as Authenticated Users. This is not a completely necessary step as the template file is copied into a policy contained within the Active Directory SYSVOL. 95 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

1. Insert the Microsoft Office Communicator CD into

11. Select the Communicator Client Test Policy and click the Edit button. This will launch the Group Policy Object Editor. 12. Right-click on the Administrative Templates folder under either Computer Configuration or User Configuration and select Add/Remove Templates. 13. On the Add/Remove Templates dialog box you will see several current policy templates. Select all of those templates and then select Remove (this is being performed because we are only interested in the communicator.adm policy template). 14. Select the Add button. This will bring up the Policy Templates dialog box. Select the communicator.adm template and click the Open button. Select the Close button on the Add/Remove Templates dialog. 15. Click the + boxes on the Administrative Templates folder, which is a subordinate of User Configuration and Computer Configuration. 16. Click the + boxes next to Microsoft Office Communicator Policy Settings. 17. Click Microsoft Office Communicator Feature Policies. From here, the individual policies and their functions can be reviewed. Understanding LCS and Certificates LCS requires digital certificates if you deploy Transport Layer Security (TLS) for client connectivity or if you have multiple LCS servers within your environment using Mutual Transport Layer Security (MTLS). As described in Chapter 1, LCS uses TLS to encrypt Instant Messaging communications between users and networks. LCS requires MTLS to provide server-to-server communication between LCS servers. TLS, like its predecessor, Secure Sockets Layer (SSL), requires a certificate at the server level tied to a certificate root chain. This issuing chain provides authoritative trust for servers within an LCS infrastructure. Figure 4-11 shows the flow of communication across a TLS-encrypted pipe, with each endpoint s required certificate. The TLS certificate requirements within a LCS deployment include the following: . All client machines that will connect to the LCS service must have a trusted Root Certificate Authority (CA) certificate installed on their desktop. Most personal computers ship with default Root CA certificates such as VeriSign, EnTrust, and others. The client machine does not need a user-specific certificate; it s only necessary that the client trusts the Root CA from which the LCS server certificates were generated. . Each LCS Server to which the client machines will connect using TLS must have a Server Authentication EKU (Enhanced Key Usage) certificate. These certificates are requested for each physical machine. Note that when requesting a certificate for a LCS pool or LCS server, the common name (CN) of the certificate must match the name of the server or pool (for front-end servers). If not, the connection between client and server or pool will not work. . If you are enabling federation or Public Instant Messaging Connectivity (PIC) within your LCS environment to provide communication capabilities with public IM networks such as MSN, AOL, Yahoo, or other LCS environments, you need a certificate for your LCS Access Proxy servers. The purpose of this is to enable authentication between networks. 96 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Computer Configuration Settings Microsoft Office Communicator Policy Settings

Computer Configuration Settings Microsoft Office Communicator Policy Settings Microsoft Office Communicator Feature Policies Specify transport and server Limit bandwidth for audio and video calls Specify dynamic port ranges Disable certificate revocation list checking Allow Microsoft Office Communicator to transfer unencrypted files Disable emoticons in instant messages Warning text Address book URL fallback logic Address book server inside URL Address book server outside URL The next table lists the settings available in the User Configuration portion of the Administrative template. As with the rtcclient.adm template, the User Configuration settings in the communicator.adm template can be overridden by the Computer Configuration settings. User Configuration Settings Microsoft Office Communicator Policy Settings Microsoft Office Communicator Feature Policies Prevent users from running Microsoft Office Communicator Prevent video calls Prevent computer-to-computer audio calls Enable conferencing Enable computer-to-phone calls Prevent file transfer Prevent users from saving instant messages Prevent collaboration features Specify instrumentation Prevent Ink in instant messages Table continued on following page 93 Preparing Your Environment for Live Communications Server 2005

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Computer Configuration Settings Microsoft Office Communicator Policy Settings

User Configuration Settings Microsoft Office Communicator Policy Settings Microsoft Office Communicator Feature Policies Permit hyperlinks in instant messages Disable Calendar presence Enable phone control Disable presence note Disable call presence Allow remote assistance Help menu Tab URL Disable Live Meeting integration Block IMs from federated contacts Set maximum allowed number of contacts Launch Microsoft Office Communicator Tour Require logon credentials Allow additional server DNS names Specify encryption for computer-to-computer audio and video calls Configure SIP security mode Enable UPNP Allow storage of user passwords Specify transport and server Allow Microsoft Office Communicator to transfer unencrypted files Disable emoticons in instant messages Warning text Address book URL fallback logic Address book server inside URL Address book server outside URL To view the new features of the communicator.adm template, you can open the template locally on a workstation using gpedit.msc or by creating a test GPO in Active Directory. Because we are concentrating on the environment, the focus will be on utilizing a test GPO: 94 Chapter 4

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services