Third Party CA certificate requirement for Cisco expressway C and E

Similar Messages

• How Do You Generate a 2048bit CSR for a Third Party SSL Certificate for LMS 4.0.1?

  Our site requires Third Party SSL certificates to be installed on our servers.  We have an agreement with inCommon. I have to supply a CSR in order to obtain the SSL certificate.
  My installation is on a Windows 2008 server and I had the self-signed CSR already but it is only 1024 bits.  Is there someplace in the GUI or OS where I can change the encryption?

  This is a shot in the dark, but since CiscoWorks is using (I believe) Tomcat as the web server, could you run keytool to generate the CSR?
  http://help.godaddy.com/article/5276
  You could also use an online CSR gererator such as:
  http://www.gogetssl.com/eng/support/online_csr_generator/
  The key (pun intended) is having the private key on your server so that when you get the signed certificate and install it (using sslutil) it will be usable.
  Hope this helps.

• Certificate Requirement for Lync 2013 Standard Edition

  I have successfully run the setup of lync 2013 standard edition now I am stuck due to certificates required for lync 2013. when I generate a csr. it show the subjected urls for that.
  hostname.domain.com
  sip.domain.com
  diali.domain.com
  meet.domain.com
  admin.domain.com
  lyncdiscover.domain.com
  lyncdiscoverinternal.domain.com
  im.domain.com (External URL)
  so if I go for 3 party CA then I need 8 certicate only for internal lync. As I also need to connected federated partner and external user so I need Edge for again I need 3 more certificates
  web.domain.com
  a/v.domain.com
  sip.domain.com
  now when I go for these certificate it quit costly and I didn't understand why such certifcates required. can anyone help me to fix such requirement.
  Or, what are the necessary url to which I buy 3 party CA rest leave as it is.
  I also want to deploy Edge with single adopter as we have only one network so can anyone assist me to proceed it further.
  Talha Faraz Malik

  To save on the cost of your third party certificates, I would deploy an internal certificate authority to sign certificates for your internal front end.   For your third party certificate, you would only need the SANs for the edge and for your
  reverse proxy and as Edwin said, this can be a single cert with multiple SANs.
  For example, for your edge you would need:
  sip.domain.com
  web.domain.com
  You would not need A/V as this role does not require a SAN on your certificate.  On the same certificate, which you could also use on your reverse proxy, you'd likely want the following FQDNs.
  lyncdiscover.domain.com
  im.domain.com (your external web services FQDN)
  meet.domain.com
  dialin.domain.com
  You may also want to consider your internal web services FQDN and include the following so third party mobile devices can connect without needing a certificate installed:
  im_internal.domain.com (your internal web services FQDN)
  lyncdiscoverinternal.domain.com
  I'm sure that's not entirely clear yet, so feel free to ask more questions or what the purpose of each is. 
  When you say Edge with a single adapter, you mean a single adapter in a DMZ or internal?  You definably want two NICS, both in separate DMZs, but I've managed to get the edge working with a single adapter in a DMZ before.  What you don't want is
  the edge in your internal network.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• SSL - Installing Third party secure certificates

  Hi,
  I am having problem while importing third party secured certificates (Verisign).
  In STRUST, after import It was still saying Self-Signed message for third party certificates. I am not sure weather this is correct behavior or not.
  After launch browser, the certificate status showing with message
  "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
  Please help me to solve this issue. Any other procedure we need to follow to import third party certificates
  Thanks in advance
  Regards
  Srinivas

  I'm guessing, you'll need to download the Verisign Trusted Root CA certificate from verisign.com and import it into your certificate list in STRUSTSSO2. Under the System PSE node.
  If you doubeclick the response certificate from Verisign, you may be able to see what is heirarchy / trust chain for verisign certs. If it's more than just root, cert, you'll probably need to add the intermediate certs too. Check out verisign link, maybe it'll explain better.
  https://www.verisign.com/support/ssl-certificates-support/page_dev028341.html
  Also is the self signed message on teh SSL Server PSE node, or the server node? it shouldn't say self-signed if it's the (as example below) sapserver_sid_00 node.
  SSL Server
     |_  sapserver_sid_00
  Hope that helps.
  regards,
  Laurence...
  disclaimer:
  The content of this message is my personal opinion only and, the statements I make here in no way represent my employer's position on the issue, nor am I authorized to speak on behalf of my employer on this matter.

• Does anyone recommend a third party app called siri-for-iphone-4?

  I saw a third party app called siri-for-iphone-4 which is supposed to add siri to older iphone 4, but do not know if it is suitable or useable.

  Is it an app that you can download from the App Store? If it is not, it would require that you jailbreak your phone which would void your warranty. Definitely not worth it, in my opinion.l

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• How do you add a third party sensor to LabVIEW for Lego Mindstorms​?

  I recently purchased an IR Sensor from Mindsensors (DIST-Nx-Long-v3) which I need for a SLAM (Simultaneous Localization and Mapping Application) that I am developing using the LabVIEW for Lego Mindstorms software.  I installed the Mindsonsors IR Sensor, and it works under NXT-G and RobotC, but am having trouble finding a way to get LabVIEW for Lego Mindstorms to install the sensor.
  The Mindsensors website gives the following instructions for installing the IR Sensor:
  1.Unzip the folder mindsensors.com LVEE
  2.Open a blank vi in LVEE
  3.On the Block Diagram Go to Tools->Advanced->Edit Palette Set...
  Unfortunately, on the Block Diagram of the LabVIEW for Lego Mindstorms, there is no "Advanced->Edict Palette Set" under Tools.
  As an alternative, I consulted the documentation that came with LabVIEW for Lego Mindstorms.  The Schematic Editor of LabVIEW for Lego Mindstorms lists several sensors, i.e. the Lego Mindstorms sensors and several Hi-Teach (HT) sensors, but there are no procedures listed in the documentation for adding other third party sensors to the Functions Palette.
  So, how does one go about adding a third party sensor to LabVIEW for Lego Mindstorms?

  Hi Ethan,
  As you can see from my Word document, I am a little light on the proper terminology.  That's because LVLM comes with inadequate documentation.
  I have already followed your recommended protocol for installing a 3rd party sensor (in fact, its the protocol recommended by Mindsensors) with the application set in the Remote Mode (.lvrbt), and it does create a sub-palette with all the Mindsensors functions on it.  But when I drag the Mindsensors icon to the Block Diagram and select "Distance Sensor," the Distance Sensor (an IR sensor) doesn't work (even though the Mindsensor's Distance Sensor does work with NXT-G, RobotC and LVLM under other circumstances (see below)).
  If I repeat the above process with the application set in the Direct Mode (.vi), I also get the sub-palette with all the Mindsensors functions on it.  When I drag the Mindsensors icon to the Block Diagram and select "Distance Sensor," the Distance Sensor does work.
  What I need for my mapping application is for the Distance Sensor to work in the Remote Mode.  I called NI tech support and the first engineer told me to simple drag the Mindsensors Functions (.vi) onto the Block Diagram.  I did this, but when I selected the Distance Sensor, the icon appeared, but the sensor did not work.  Since I have no idea what's under the hood of the vi or a function, I assumed that simply dragging the vi/function onto the desktop didn't install the vi/function properly.  I went back to the Applications Engineer, and he confessed that he did not understand the LVLM product.
  My frustration is being punted to new people, none of whom so far (other than you, of course) understand LVLM.

• Third party encryption plug-in for a pdf form.

  We are looking for an Adobe approved third party encryption plug-in for a pdf form. 256 bit, assymetric, two key, one public (embedded in form) and one private (accessible only to our organisation

  I don't know that is a huge number of alternatives for Fractal plugins.  You'll no doubt come across links for Fractalius and Genuine Fractals, but the first produces interesting strand like effects (after a very long wait) and the second is an image resize plugine which now belongs to On One, and is sold as Perfect Resize.  And even that has been made irrelevant by the Preserve Details upres option in CC.
  You are alos wize to be careful.  Previous trusable sites like cnet on softonic are a nightmare nowdays, and too many of the free apps you find on them come loaded with malware.  Some of it _serious_ malware DAMHIKIJKOK
  But have a look at Fractal Explorer.  I don't have experience with it, but it comes with the Pixel Bender name behind it, which is like a badge of excellence.
  http://www.subblue.com/projects/fractal_explorer

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• Certificate Requirement for Microsoft RDS 2012

  Hi All,
  I planning to deploy RDS VDI and remote app service, Please help me to understand the certificate
  requirement for server authentication, publication, SSO , etc.
  Internet URL is
  https://RDSVDI.domain.net
  My servers are in .local 
  RD Licensing Server--------RDSLICSVR.Domain.LOCAL
  RD Connection Broker-----RDSCB.Domain.LOCAL
  RD Web Access------------RDSWEBSVR.Domain.LOCAL
  RD Session Host-----------RDSSHSVR.Domain.LOCAL
  RD Visualization Host-------RDSVHSVR.Domain.LOCAL
  RD Gateway Server -------RDGWSVR.Domain.LOCAL
  What kind of Certificate do i required to launch Desktop and RemoteApp without any error.

  Hi,
  1. I would recommend a wildcard certificate (*.domain.net) purchased from a trusted public authority such as GoDaddy, VeriSign, Thawte, etc.  This wildcard certificate would be used for all RDS purposes.
  2. On the internal network you will need to create a DNS zone for domain.net with A records pointing to the private ip addresses, similar to the following:
  rdsvdi.domain.net --> private ip address of your RD Web server
  rdscb.domain.net --> private ip address of your RD Connection Broker
  rdsgwsvr.domain.net --> private ip address of your RD Gateway server (this is only needed if you want to use RDG for internal users)
  3. On the Internet you will need DNS records similar to the following:
  rdsvdi.domain.net --> public ip address for your RD Web server
  rdgwsvr.domain.net --> public ip address for your RD Gateway server
  4. You will need to change the published FQDN for your RDS deployment to rdscb.domain.net using the cmdlet below:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  5. You may need to modify your RD RAP in RD Gateway Manager. For example, you could edit the properties of the RD RAP, Network Resource tab, and select Allow users to connect to any network resource.
  6. You should make sure that all client PCs have RDP 8.1 Client (6.3.9600) installed for best results connecting to Server 2012 R2.
  7. For domain-joined PCs you may choose to set the SHA thumbprint of your certificate via group policy setting so that they will not be prompted when launching RemoteApps.
  8. It is preferred for users to use IE to connect to RD Web Access and select the Private option if possible (as long as the PC is not public).  When prompted they should Allow the Activex control to run.
  -TP

• TS1717 Having trouble running iTunes version 11.0.2 on a Dell Laptop running Windows 7 Professional Service Pack 1.  Keep getting an error message "the software required for communicating with iPods and mobile phones was not installed correctly..." reinst

  Having trouble when I launch iTunes (version 11.0.2) on my Dell Laptop running Windows 7 Professional (service pack 1).  I get an error message indicating software required to communicate with iPod and mobile phones was not installed correctly.  Do you want iTunes to try to repair this for you?  I normally respond with OK and it immediately tells me "could not be repaired.  Please reinstall iTunes..."  I have done this a number of times to no avail.

  I also notice Quicktime is not getting installed at all.
  That one is normal nowadays (ever since the iTunes versions 10.5.x).
  The software required for communicating with iPods and mobile phones was not installed correctly. Do you want iTunes to try to repair this for you?
  Let's try a standalone Apple Mobile Device Support install. It still might not install, but fingers crossed any error messages will give us a better idea of the underlying cause of why it's not installing under normal conditions.
  Download and save a copy of the iTunesSetup.exe (or iTunes64setup.exe) installer file to your hard drive:
  http://www.apple.com/itunes/download/
  Download and install the free trial version of WinRAR:
  http://www.rarlab.com/
  Right-click the iTunesSetup.exe (or iTunes64setup.exe), and select "Extract to iTunesSetup" (or "Extract to iTunes64Setup"). WinRAR will expand the contents of the file into a folder called "iTunesSetup" (or "iTunes64Setup").
  Go into the folder and doubleclick the AppleMobileDeviceSupport.msi (or AppleMobileDeviceSupport64.msi) to do a standalone AMDS install.
  (If it offers you the choice to remove or repair, choose "Remove", and if the uninstall goes through successfully, see if you can reinstall by doubleclicking the AppleMobileDeviceSupport.msi again.)
  Does it install (or uninstall and then reinstall) properly for you?
  If instead you get an error message during the install (or uninstall), let us know what it says. (Precise text, please.)

• What are the ports required for the Audio, Video and A/V conferencing when the following end points are enabled for QoS in Lync 2013 server?

  Hi All,
  What are the ports required for the Audio, Video and A/V conferencing when the following clients are enabled for QoS in Lync 2013 server?
  Client Type
  Port range  and Protocol required for Audio
  Port range and Protocol required for
  Video
  Port range and Protocol required for
  A/Vconferencing
  Windows Desktop   Client
  Windows mobile App
  Iphone
  Ipad
  Andriod phone
  Andriod Tablet
  MAC desktop client
  Please advise. Many Thanks.

  Out of the box, 1024-65535 for all of the client ports.  :) 
  https://technet.microsoft.com/en-us/library/gg398833.aspx
  You'll want to tune your client ports a bit
  https://technet.microsoft.com/en-us/library/jj204760.aspx as seen here, and then the client ports would use those ranges which is easier to set QoS markings.  I'm not sure the mobile clients respect that setting.
  Elan's got the best writeup for Windows clients here:
  http://www.shudnow.net/2013/02/16/enabling-qos-for-lync-server-2013-and-various-clients-part-1/
  However, the marking of the packets is the tricky part.  Windows can do it via Group Policy, but for the other clients you'll need to have the network specifically prioritize ports regardless of DSCP markings.  You have to do it based on ports
  as the traffic could be peer to peer.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Error message: "the software required for communicating with Ipods and mobile phones was not installed correctly....

  2 error messages when opening itunes: "The software required for communicating with Ipods and mobile phones was not installed correctly.  Do you want Itunes to repair this for you?"  When clicking yes another message indicates not able to remove services.  Another message is: "Service (ipod service) could not be installed.  Verify that you have sufficient privileges to install system sources."  I've uninstalled all Apple services (itunes, quicktime, apple software update, apple mobiles devices support, bonjour and apple application support and reinstalled itunes/quicktime - no change in error messages.  I cannot burn CDs using Itunes.  This all seemed to happen when I updated itunes to version 10.  I have a Windows 7 64-bit operating system on a Dell Inspiron Zino HD; the Itunes software is also 64 bit.

  See the second box of  Troubleshooting issues with iTunes for Windows updates.
  tt2

• What Service Restarts the Data Calculations for Cisco Supervisor Desktop and Wallboards

  Hello All,
  UCCX version 8.0.2.11005-20
  UCCX is running in HA mode.
  Yesterday we believe our UCCX Servers failed over due to a network outage between the Publisher and the Subscriber.
  So last night I restarted the "CCX Engine" to fail-back the servers, which worked just fine.
  Now today the database that our Wallboard uses is not showing any data. So I ran some SQL statements on both Servers' CLI and the Database db_cra is showing old data on the Subscriber and the Publisher is showing all Zeros. But after just looking at the Real-Time Reporting page on the Web GUI, that "seems" to be working but I'm not positive because I have nothing to compare the numbers to...
  When I try to run Supervisor Desktop, I can open the Program, sign-in, and then when I choose the "team" and then try clicking on a CSQ Name, Supervisor freezes and I get a "Not Responding" message. I thought it was just my PC but this is happening for 2 other people as well, on 2 completely different PCs so I can rule out that its the computer that is killing Supervisor.
  Is there another service that needs to be restarted in order to get this working? I tried restarting the service for "Cisco Desktop Recording and Statistics Service" and I was nervous about restarting anything else because we are currently open and our CallCenter is taking calls.
  Any thoughts would be much appreciated!
  Thanks in Advance,
  Matt

  Has your problem cleared up?  Did you do anything, such as a reboot or open a TAC case?
  Anthony Holloway
  Please use the star ratings to help drive great content to the top of searches.

• When I click on itunes, it tells me that thesoftware required for communicating with ipods and mobil phones was not installed properly. I have not changed anything on my computer so I'm not sure what I should do? Help

  Help, When I click on itunes on my computer it tells me that the software required for communicating with ipods and mobil phone was not installed properly. I havent' changed anything. Does anyone know what I should do? Thanks

  See the second box of Troubleshooting issues with iTunes for Windows updates.
  tt2