209
D14049.04
JULY 2008
Grey Headline (continued)
TANDBERG VIDEO COMMUNICATIONS SERVER
ADMINISTRATOR GUIDE
Introduction Getting Started
Overview and
Status
System
Conguration
VCS
Conguration
Zones and
Neighbors
Call
Processing
Bandwidth
Control
Firewall
Traversal
Appendices
Applications Maintenance
LDAP Conguration
Microsoft Active Directory
Securing with TLS
To enable Active Directory to use TLS, you must request and
install a certicate on the Active Directory server. The certicate
must meet the following requirements:
Be located in the Local Computer’s Personal certicate store.
•
This can be seen using the Certicates MMC snap-in.
Have the private details on how to obtain a key associated
•
for use with it stored locally. When viewing the certicate you
should see a message saying “You have a private key that
corresponds to this certicate’’.
Have a private key that does not have strong private key
•
protection enabled. This is an attribute that can be added to
a key request.
The Enhanced Key Usage extension includes the Server
•
Authentication object identier, again this forms part of the
key request.
Issued by a CA that both the domain controller and the client
•
trust.
Include the Active Directory fully qualied domain name of
•
the domain controller in the common name in the subject
eld and/or the DNS entry in the subject alternative name
extension.
To congure the VCS to use TLS on the connection to the LDAP
server you must upload the CA’s certicate as a trusted CA
certicate. This can be done on the VCS by navigating to:
Maintenance > Security.
•
Adding H.350 Objects
Create the Organizational Hierarchy
Open up the Active Directory 1. Users and Computers MMC
snap-in.
Under your BaseDN right-click and select 2. New Organizational
Unit.
Create an Organizational unit called 3. h350.
It is good practice to keep the H.350 directory in its own
organizational unit to separate out H.350 objects from
other types of objects. This allows access controls to be
setup which only allow the VCS read access to the BaseDN and
therefore limit access to other sections of the directory.
Add the H.350 Objects
Create an 1. ldif le with the following contents:
# MeetingRoom1 endpoint
dn: commUniqueId=comm1,ou=h350,DC=X
objectClass: commObject
objectClass: h323Identity
objectClass: h235Identity
objectClass: SIPIdentity
commUniqueId: comm1
h323Identityh323-ID: MeetingRoom1
h323IdentitydialedDigits: 626262
h235IdentityEndpointID: meetingroom1
h235IdentityPassword: mypassword
SIPIdentityUserName: meetingroom1
SIPIdentityPassword: mypassword
SIPIdentitySIPURI: sip:MeetingRoom@X
Add the ldif le to the server using the command: 2.
ldifde -i -c DC=X <ldap _ base> -f lename.ldf
where:
<ldap _ base> is the base DN of your Active Directory
Server.
The example above will add a single endpoint with an H.323
ID alias of MeetingRoom1, an E.164 alias of 626262 and a
SIP URI of MeetingRoom@X The entry also has H.235 and SIP
credentials of ID meetingroom1 and password mypassword
which are used during authentication.
H.323 registrations will look for the H.323 and H.235 attributes;
SIP will look for the SIP attributes. Therefore if your endpoint
is registering with just one protocol you do not need to include
elements relating to the other.
!
The SIP URI in the ldif le must be prexed by sip:.
For information about what happens when an alias is not
in the LDAP database see the section
Alias Origin Setting.