SN and SAN certificates required for lync architecture?
-
mercredi 4 avril 2012 11:41
Hello,
I need your help to determine the SN and SAN for the following lync architecture:
I'm using :
- 1 standard edition server in the main office, its FQDN= fe1.example.local
- 1 standard edition server in the branche office, its FQDN= fe2.example.local
- 1 edge server in the main office, its FQDN= edge1.example.local
- 1 Reverse proxy in the main office, its FQDN= rp1.example.local or should be rp1.public.com??
- SIP Domain = public.com
I think that I need the following certificat SN and SAN:
For the main office standard edition: SN=fe1.example.local and SAN= fe1.example.local, fe2.example.local, sip.public.com, rp1.public.com, admin.public.com,dialin.public.com,meet.public.com
For the branche office standard edition: SN=fe2.example.local and SAN=SAN= fe1.example.local, fe2.example.local, sip.public.com, rp1.public.com, admin.public.com,dialin.public.com,meet.public.com
For the Edge server :
- Internal interace ==> SN=edge1.example.local and SAN is not required
- External interface ==> SN=access.public.com and SAN= access.public.com, webconf.public.com, sip.public.com
For the Reverse proxy:
- Internal interface ==> SN= the server proxy FQDN? rp1.public.com and SAN=?
- External interface ==> SN=rp1.public.com or extweb.public.com? and SAN= dialin.public.com, meet.public.com
Could you please verify with me these SN and SAN?Thank you
Toutes les réponses
-
jeudi 5 avril 2012 03:55
Hi,
The following SN and SANs should be included:
Main office Standard edition
SN=fe1.example.local
SAN= fe1.example.local
SAN=meet. public.com
SAN=dialin. public.com
SAN=admin. public.com
Branche office standard edition:
SN=fe2.example.local
SAN= fe2.example.local
SAN=meet. public.com
SAN=dialin. public.com
SAN=admin. public.com
For the Edge server:
Internal interface ==> SN=edge1.example.local and SAN is not required
External interface ==> SN=access.public.com and SAN= access.public.com, webconf.public.com, sip.public.com(option,for Auto-config)
For Lync Server deployment, we don’t need to request certificate for internal interface of Reverse Proxy.
We need to request the Public SSL certificate to external internal of Reverse Proxy:
SN= extweb.public.com (External Web Services FQDN)
SAN= extweb.public.com (External Web Services FQDN)
SAN=dialin.public.com
SAN=meet.public.com
SAN=yncdiscover.public.com (For mobility)
For details:
Certificate Requirements for Internal Servers
http://technet.microsoft.com/en-us/library/gg398094.aspx
Request and Configure a Certificate for Your Reverse HTTP Proxy:
http://technet.microsoft.com/en-us/library/gg429704.aspx
Regards,
Kent
- Proposé comme réponse Saleesh NeduvayalilMicrosoft Employee jeudi 5 avril 2012 08:29
-
jeudi 5 avril 2012 08:26
Hi,
Thank you for your help :)
I have another question, do I have to install a director server in this architecture?
Thanks
-
jeudi 5 avril 2012 09:22
Hi,
Director server is an optional role for Lync Server deployment. Please check the following information to determine if you require it.
http://technet.microsoft.com/en-us/library/gg398879.aspx
Thus, if you don’t have a high volume of users, there is no requirement for you to deploy a Lync Director Server.
Regards,
Kent
-
dimanche 8 avril 2012 10:55
Hello,
Thank you for your help :)
I followed theinstructions on the site for certificat requirements (http://technet.microsoft.com/en-us/library/gg398094.aspx) andI did not understandthis:
If this pool is the auto-logon server for clients and strict Domain Name System (DNS) matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have).
Can you explain to me what that's mean please, I dont know if I have to add a san= sip.public.com or not.
Thank you
-
mercredi 11 avril 2012 01:46
Hi,
As I know, if all users log on with user@public.com, the client running Lync gets the relevant information through group policy and attempts to connect to a Front End pool using each of the three SRV records in order, regardless of whether you are signing in from inside our outside your network.
_sipinternaltls._tcp.public.com
_sipinternal._tcp.public.com
_sip._tls. public.com
After the SRV record is returned, a query is performed for the DNS A record (by FQDN) of the server or Front End pool associated with the SRV record. If no records are found during the DNS SRV query, the Lync client performs an explicit lookup of sipinternal.public.com. If the explicit lookup does not produce results, the Lync client performs a lookup for sip.public.com.
Thus, if front two queries fail, it will perform a lookup for sip.public.com automatically. In this case, if sip.public.com is not included in SAN of front end certificate, the auto sign-in will fail.
It is recommended to include sip.public.com in SAN of front end certificate.
If you have any other questions, you can mark answer to close this post and try to create new one.
Regards,
Kent
- Marqué comme réponse Uchiha-Sasuke mercredi 11 avril 2012 16:03
-
mercredi 11 avril 2012 16:03
Hi,
it's very clear now, thank you :)
Ok, I mark answer
-
lundi 30 avril 2012 21:25
Question with your example. Let's say you define the SRV record for _sip._tls. public.com to point to a DNS A record of LyncAV.public.com. Assume further sip.public.com is not defined. It is my understanding that should work. For auto-configuration to then work correctly, does that mean one of the alternate names in the cert needs to be LyncAV.public.com instead of sip.public.com?
.png)
