I have a fully functional Live Communications Server that I have setup a while ago - all servers and clients use TCP on port 5060 to communicate.

This week I decided to take it one step further and allow remote users to connect to it without the aid of a VPN, in other words over the internet. However this requires (m)TLS throughout.

There are three servers in total - the actual Live Communications Server (FQDN=lcs-srv.lc.com) a Director (FQDN=lcs-db.lc.com) and an Access Proxy (lcs-proxy). The first two servers are Domain Members and the Access Proxy is in Workgroup mode.

Here is how it all works:

The access proxy has two interfaces - one accepting incoming traffic from the internet and the other passing this traffic on to the Director.

The Director authenticates the user to Active Directory and then forwards the traffic on to the Live Communications Server.

The Live communications server than sends the IM to what ever client it is destined for.

So a home user over the internet connects to the access proxy via MTLS - all the access proxy does is check certificates and checks the header of the packet to ensure the instant message is on the allowed SIP domain list. If it is, it forwards the traffic to the Director who then asks the user to authenticate against Active Directory.
Once authentication is successful the user is directed to the LCS server.
All this takes place via MTLS.

I DID have certificates on the LCS server, Director and the internal interface of the Access Proxy all working correctly and server-to-server communication was working a treat. The LCS Server used it FQDN, the Director used its FQDL and the access proxy internal interface used its server name lcs-proxy but had the DNS name as an alias lcs-proxy.lc.com and externaly I had the same subject name and alias. (this did work externally but I have the ISP updating their DNS)

However and all of a sudden all certificates are now invalid for no reason I can see (they have not expired and the root CA and issuing CA have not be changed)

I think I may be setting the subject name wrong for the access proxy?

I even tried using a Subject Alias Name of lcs-proxy.lc.com (DNS name) but I keep getting 'there is a problem with the certificate. Please contact your System Administrator'. And HE is bloody useless! Very Happy

I have tried everything I can think of but always get the same error. And now all the internal certificates are buggered too....

Does anyone have any experience with certificates who can offer some help??