Applies to: Exchange Server 2007 SP1, Exchange Server
2007
Topic Last Modified: 2007-07-12
One of the most important ways to help protect your Microsoft Exchange Server 2007 Unified Messaging (UM) infrastructure and the network traffic that is generated by Unified Messaging is by using Mutual Transport Layer Security (MTLS). You can use MTLS to encrypt Session Initiation Protocol (SIP) traffic that is passed between IP gateways, IP PBXs, and other Exchange 2007 servers and the Unified Messaging servers on your network. Using MTLS to encrypt the SIP data helps protect this data.
After you have used the VoIPSecurity parameter on the Set-UMDialPlan cmdlet to enable VoIP security on the UM dial plan, all Unified Messaging servers that are associated with the UM dial plan will be configured to use secure mode. However, depending on the type of certificate that you use to enable MTLS, you must first import and export the required certificates on the Unified Messaging servers and the IP gateways and IP PBXs.
This topic explains how to use the UM Test Phone to test your MTLS configuration to make sure that it is functioning correctly.
Before You Begin
Before you can run the Exchange UM Test Phone application, you must set up and configure the client computer by installing the appropriate audio devices, audio drivers, speakers, and a microphone. The Exchange UM Test Phone application streams the audio to the audio devices that are configured on the client computer from the Unified Messaging server. Verify that these devices are connected and working correctly before you run the Exchange UM Test Phone application on a client computer. For more information about how to set up the UM Test Phone, see How to Set Up the Unified Messaging Test Phone.
To perform the following procedures, the account you use must be delegated the following:
- Exchange Organization Administrator role.
- Membership in the local Administrators group on the computer
that is running the UM Test Phone.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Also, before you perform these procedures, confirm the following:
- The Microsoft Exchange Unified Messaging service is
running in “SipSecured” mode.
- If the Microsoft Exchange Unified Messaging service is
using a self-signed certificate, the certificate should be exported
from the Personal certificate store to a file, and then
stored in a location that can be accessed from the host
computer that is running the UM Test Phone application.
- A UM dial plan has been created.
- A UM auto attendant has been created.
- The Unified Messaging server has been added to a UM dial
plan.
- The UM dial plan security mode is set to SipSecured.
- The UM Test Phone application has been installed and configured
correctly.
- For more information about the different types of certificates
that can be used with Unified Messaging, see Understanding Unified
Messaging VoIP Security.
Procedure
To generate a self-signed certificate for MTLS
-
Open the Exchange UM Test Phone application by double-clicking \bin\ExchangeUMTestPhone.exe.
-
In the Exchange UM Test Phone window, click Tools, and then click Setup.
-
On the Setup page, under Call Security Settings, click SIP secured (TLS) to generate a self-signed certificate.
-
Verify that the Personal certificate store on the host computer that is running the Exchange UM Test Phone application contains the self-signed certificate. Verify that a self-signed certificate was generated with the fully qualified domain name (FQDN) of the host as the subject name and that the intended purpose for the certificate is Server Authentication.
Note If the self-signed certificate is not generated, verify that you are a member of the local Administrators group.
-
Export the self-signed certificate by using the Base-64 encoded X.509 (.CER) format.
-
Follow the steps in the Certificate Export Wizard to export the certificate in the Base-64 encoded X.509 (.CER) format to a file, and then store the file in a location that can be accessed by the Unified Messaging server.
-
Use the Certificate Import Wizard to import the self-signed certificate into the Trusted Root Certification Authorities store on the Unified Messaging server.
Important: A self signed certificate will not be generated if the UM Test Phone finds another certificate in the Personal certificate store that lists the FQDN of the host computer as the subject name and for which the intended purpose is Server Authentication.
For more information about how to import and export certificates, see Import and Export Certificates.
To generate a request and import a PKI certificate
-
Use the Request New Certificate wizard to generate a certificate request by using the FQDN of the host computer as the subject name and identify the intended purpose as Server Authentication. Use a certification authority (CA) that is configured on your network to issue a certificate for the request.
-
Import the certificate into the Personal certificate store on the host computer that is running the Exchange UM Test Phone application.
-
Import the trusted root certificate from the public key infrastructure (PKI) CA into the Trusted Root Certification Authorities store on the host computer that is running the Exchange UM Test Phone application.
Important: You can also use this procedure to generate a certificate request for a third-party or commercial certificate, and then import the certificate into the Personal certificate store on the host computer. However, Server Authentication must be identified as its intended purpose.
To test a Unified Messaging server in secure mode
-
Open the Exchange UM Test Phone application by double-clicking \bin\ExchangeUMTestPhone.exe.
-
In the Exchange UM Test Phone window, click Tools, and then click Setup.
-
In Server Settings, type the host name of the Unified Messaging server in the Server Address field.
-
Click the Make Call button to place the call to a Unified Messaging auto attendant. The Make Call button is a green telephone icon in the Exchange UM Test Phone window.
-
Follow the voice prompts for the UM auto attendant.
-
In the Exchange UM Test Phone application, click Hang Up to disconnect the call after you complete the test.
For More Information
- For more information about how to test a Unified Messaging
server, see Testing Unified
Messaging Server Functionality.
- For more information about how to configure MTLS for Unified
Messaging, see Understanding Unified
Messaging VoIP Security.