Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
You can enable Voice over IP (VoIP) security for a Unified Messaging (UM) dial plan. By default, when a UM dial plan is created, it will use Unsecured mode or no encryption. When you configure the UM dial plan to use Session Initiation Protocol secured (SIP Secured) or Secured mode, the Unified Messaging servers that are associated with the UM dial plan will encrypt the SIP signaling traffic or the Realtime Transport Protocol (RTP) media channels and the SIP signaling traffic.
To enable a UM server to encrypt data that's sent between IP gateways and IP PBXs you must:
- Create a new self-signed or public certificate that you can use
for mutual TLS.
- Associate a certificate with the UM server.
- Configure the UM dial plan as SIP Secured or Secured.
- Configure the startup mode on the UM server.
- Configure the listening port on the UM IP gateways to use TCP
port 5061.
- Import the certificate on your IP gateways or IP PBXs.
Prerequisites
After you've installed the Unified Messaging server role, you'll have to create a certificate that can be used to encrypt data between a UM server and IP gateways or IP PBXs.
Use the EMC to create a new Exchange certificate
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "UM server" entry in the Unified Messaging Permissions topic. You must also log on by using an account that's a member of the local Administrators group on that computer.
- In the console tree, click Server Configuration.
- In the action pane, click New Exchange Certificate to
open the New Exchange Certificate wizard.
- On the Introduction page, enter a friendly name for your
certificate.
- On the Domain Scope page, don't select the Enable
wildcarding for this certificate check box.
- On the Exchange Configuration page > expand Unified
Messaging server.
- Select Self-signed certificate or Public
certificate, enter the fully qualified domain name (FQDN) of
your UM server in the Fully qualified domain name (FQDN) of your
UM servers box, and then click Next.
- On the Organization and Location page, enter information
about your Exchange organization.
- On the Certificate Completion page, verify that all the
information you've entered is correct. If it is correct, click
New.
- On the Completion page, follow the steps that are listed
there to complete your request. This page also contains the cmdlet
syntax necessary to create a new certificate.
Use the Shell to create a new Exchange certificate
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "UM server" entry in the Unified Messaging Permissions topic. You must also log on by using an account that's a member of the local Administrators group on that computer.
This example creates a new Exchange certificate request
for a UM server named MyUMServer with a friendly name
of UMCert.
 Copy Code |
|
|---|---|
New-ExchangeCertificate -FriendlyName 'UMCert' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -DomainName '*.contoso.com' -SubjectName 'C=US,S=wa,L=redmond,O=contoso,OU=servers,CN=contoso.com' -Server 'MyUMServer' |
|
Other Tasks
After you create a certificate for Unified Messaging, you may also want to: