Martin Gibney - Microsoft Teams

  Another common issue with Exchange and Outlook is that end users see pop ups complaining about the name on the certificate not matching the cert itself. " The name on the security certificate is invalid or does not match the name on the site " Or " The security certificate has a valid name " is marked with a red X   This tends to happen when the InternalURL does not match the certificate names. What this means in plain English is that the server name is either not on the certificate or does not match up. In many cases the servers will be built and use a single public wildcard certificate, however this wildcard certificate domain does not match the internal domain name. E.g. Mydomain.ie is the public SMTP name and wildcard cert *. mydomain.ie but the Active Directory domain is mydomain.local . We can "trick" the Exchange System into thinking that it is mydomain.ie and respond as such (No need to change domain n

So here is another issue I have come across twice this week alone. When setting up the TCP 5061 rules on firewalls between DMZ Internal and LAN on Checkpoint Firewalls, the default SIP rule being chosen by admins is SIP_TLS_AUTHENTICATION. However while a simple telnet will work between the servers (it may take 7-8 seconds extra) and it will look like it works but no logs in the Logger or errors about certificates. What I found is that if you change the rule to SIP_TLS_NOT_INSPECTED this resolved the issue. We could then see traffic coming completely through. Here is some information from checkpoint directly: Source: https://sc1.checkpoint.com/documents/R76/CP_R76_VoIP_WebAdmin/87769.htm

In advance of any installation of Lync products, ensure networking and firewall rules have been set up in advance. To save time during the install phase, you can ask the on site administrator to run the following: To assist in checking this is in place you can run the following tool ( https://www.allscoop.com/tcp-listen.php ) on the server and run my script ( http://ucireland.blogspot.ie/2015/05/testing-lync-2013-ports.html ) the opposing server. On the Edge Server listen on ports and test from LAN: 5061 TCP 4443 TCP 4443 TCP 8080 TCP 8057 TCP 5062 TCP 3478 UDP 443 TCP 50001 TCP 50002 TCP 50003 TCP 23456 TCP On the Front End Server listen on ports and test from DMZ: 5061 TCP On the Edge Server listen on ports and test from INTERNET: 443